A security issue in the wordpress backend. | WordPress.org

bounasser
(@bounasser)

10 years, 9 months ago

First of all I’m not even sure if this is the right place to discuss topics like these, nor do I know if this issue has been addressed before or not, but I had to post this ASAP.

if you go to the post edit screen and you change the title to something like: <script>alert( document.cookie )</script> and visit the post, you’ll find that the script gets injected and executed, just like an HTML eval(), the Rich Text Editor has the same problem and this works for both posts and pages.

I have noticed this problem back in version 4.2.2 if I can recall (with some plugins and themes installed), and I tried it today using a Fresh install of 4.3, and they both have the same issues 🙂

Viewing 2 replies - 1 through 2 (of 2 total)

Andrew Nevins
(@anevins)

WCLDN 2018 Contributor | Volunteer support

10 years, 9 months ago

See: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/

I might be missing the point, but if someone has access to your dashboard isn’t that more of a risk in general?

Thread Starter bounasser
(@bounasser)

10 years, 9 months ago

You’re absolutely right, but keep in mind that the code above may break a lot of plugins that list post/page titles, especially in terms of layout.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘A security issue in the wordpress backend.’ is closed to new replies.

Tags

In: Fixing WordPress
2 replies
2 participants
Last reply from: bounasser
Last activity: 10 years, 9 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics