It’s possible to achieve some attacks (like phising) by
performing a post like this (from wp-admin/post.php):
As WP won’t dump quotes -but &#…;-, you must build
the URL by passing UNICODE character codes to
(Tested with Firefox 1.0.2, IE 6.0, WP 1.5 under Fedora
Core 3, PHP 4.3.10.)
- The topic ‘XSS in post.php’ is closed to new replies.