[wp-trac] [WordPress Trac] #33402: Zero Day on the Comment section on latest wordpess release
WordPress Trac
noreply at wordpress.org
Tue Aug 18 09:00:06 UTC 2015
#33402: Zero Day on the Comment section on latest wordpess release
--------------------------+------------------------------
Reporter: 3ntr0py | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.2.4
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+------------------------------
Changes (by Clorith):
* status: new => closed
* resolution: => invalid
Comment:
Hi @3entr0py, and welcome.
It seems in this case as you are signed in as a user with the capabilities
that allow you to make entries with unfiltered HTML (as can be seen by the
`_wp_unfiltered_html_comment` entry in your example above).
This means you can post anything to your own comments field while signed
in to the user you are currently using.
We do appreciate responsible disclosure of potential security risks, any
suspected vulnerability should be reported to security at wordpress.org (See
the handbook article at https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/ for details)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33402#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list