WordPress XSS on Search Widget | WordPress.org

anderpete22
(@anderpete22)

9 years, 1 month ago

Hi,

I’m using a custom WordPress theme with a Search widget. It was discovered that there is an XSS vulnerability through this. The user can add /?s= and pass through a <script> </script> tag and alter the html in my page.

Any clues on how to go about fixing this?

Thanks

Viewing 5 replies - 1 through 5 (of 5 total)

sinip
(@sinip)

9 years, 1 month ago

By contacting people who made the theme?

Thread Starter anderpete22
(@anderpete22)

9 years, 1 month ago

Is the search widget not an included part of WordPress? I thought this could be a common issue.

sinip
(@sinip)

9 years, 1 month ago

Ah, if it is standard WP search widget then yes, it is the part of WP. I thought that theme maker made own search widget.

Thread Starter anderpete22
(@anderpete22)

9 years, 1 month ago

Nope, but the “s” parameter in the URL when performing a search is allowing users to interject <script></script> tags into the page. I was wondering if anyone knows of a way to handle this.

sinip
(@sinip)

9 years, 1 month ago

That should be handled by core WordPress developers, because any XSS vulnerability is a serious one. You should report what you’ve found to them.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘WordPress XSS on Search Widget’ is closed to new replies.

In: Fixing WordPress
5 replies
2 participants
Last reply from: sinip
Last activity: 9 years, 1 month ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics