XSS in post.php (5 posts)

  1. pedrojrulez
    Posted 11 years ago #

    It's possible to achieve some attacks (like phising) by
    performing a post like this (from wp-admin/post.php):


    As WP won't dump quotes -but &#...;-, you must build
    the URL by passing UNICODE character codes to

    (Tested with Firefox 1.0.2, IE 6.0, WP 1.5 under Fedora
    Core 3, PHP 4.3.10.)

  2. Matt Mullenweg
    Posted 11 years ago #

    So you're saying that you can post content in your admin area and then people who see your blog will see that content? WP does not sanitize posts, whatever you put in there is shown to your blog visitors.

  3. Dougal Campbell
    Posted 11 years ago #

    Right, this is not any kind of "bug" in WP. If you can't trust a user to not publish "unsafe" code, then you probably shouldn't be giving them post permissions.

    That said, it would probably be trivial to whip up a plugin that would filter post content through kses for users below a certain level, just as comments currently are.

  4. chuyskywalker
    Posted 11 years ago #


  5. davidhouse
    Posted 11 years ago #

    This is surely possible with or without WordPress. Like dougal said, if you can't trust an author, don't make them an author.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.