Support » Requests and Feedback » Huge Security Risk – how come nobody fixed that yet?

  • Resolved euromark

    (@euromark) has some test strings (they are harmless). But others might not be!

    So how come nobody solves this security risk yet?
    its as easy as htmlspecialchars() every comment / user input.

    See these examples:
    they are triggered in the backend as well as in the frontend (and can inject very dangerous code).


    the result is:
    a) reading out all cookie data: “This is remote text via xss.js located at wp-settings-1=…”
    b) breaking the layout (white screen of death)
    c) and other
    and this is not even close to what xss is capable of. just an example.
    usually the admin is not aware of it and the “dangerous code” has full admin rights as well. all get/ajax related requests could be triggered automatically with full admin rights.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Chris Olbekson


    Level 12 Bug Squasher & Forum Moderator

    Have you reported this yet?

    i would have thought that somebody already found that out – with 100000 of distributions so far…^^

    for the public area i can install a code highlight plugin. some are capable of securing the output (most are not!).
    but for the admin area i am not sure how to implement security hacks.

    just started to use wordpress – and i am shocked.
    those things are absolutely standard procedure in every web project

    @euromark — were you logged in to WordPress at the time?

    From Peter Westwood:

    This reads very much like the standard report of XSS issues which are only present when you are logged in as an admin as you are inherently a trusted user.

    The place to to point the user is this FAQ entry –

    Then ask them to report to if they find a real issue using a non-admin / editor user

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Agreed, Admins and Editors have the unfiltered html capability, and yes, they can insert bad code. But if you don’t have the user role to do that, then you can’t do that.

    Make a new user lower than an Editor, then try your attack as that user. If it works, let us know.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Huge Security Risk – how come nobody fixed that yet?’ is closed to new replies.