WordPress.org

Support

Support » Requests and Feedback » WP still hasn’t fixed XSS Vulnerability in unsanitized comments?!?!

WP still hasn’t fixed XSS Vulnerability in unsanitized comments?!?!

  • I just upgraded (long overdue) to the latest version of WP (2.9.1) after getting hacked. I noticed that in the old version of WP, you could add javascript to a comment and it would execute!

    I have just upgraded, and assumed that this would be fixed, but it hasn’t!

    If you want to be terrified, give it a try yourself.

    All someone needs to do is put this in a comment:

    <script>document.location=”http://www.bad-website-goes-here.com”;</script>

    …and anyone who visits that post will be redirected to another site that could do all sorts of bad things, like load malware, or phish for info, etc…

    PLEASE PLEASE PLEASE patch this!

    In the meantime, I guess I have to write a plug-in to sanitize comments? How could this have been left open for soooo long?!

Viewing 4 replies - 1 through 4 (of 4 total)
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WP still hasn’t fixed XSS Vulnerability in unsanitized comments?!?!’ is closed to new replies.
Skip to toolbar