Ready to get started?Download WordPress


[resolved] Security Hole - Comment system (4 posts)

  1. bigodines
    Posted 8 years ago #

    There is a major security hole in the comment system that allows XSS attacks. I've confirmed it on my default installation (with cocomment enabled). Is this a known issue? I'm gonna do some more testing with non-default installations but if you would like to help me on this, just comment a post with:

    <script>alert(666);</script> and see if you get it interpreted.


  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    Doesn't work for me. The script tags get stripped out.

  3. This will only work for a registered user who has the "unfiltered_html" capability which is normally only given to the original admin user.

  4. bigodines
    Posted 8 years ago #

    you are right. It only works when I'm logged.


Topic Closed

This topic has been closed to new replies.

About this Topic