[wp-trac] [WordPress Trac] #49430: XSS scripting in Post title

WordPress Trac noreply at wordpress.org
Fri Feb 14 09:34:08 UTC 2020 

#49430: XSS scripting in Post title
--------------------------+----------------------
 Reporter:  nayeeem       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:  5.3.2
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |     Focuses:
--------------------------+----------------------
Changes (by swissspidy):

 * status:  new => closed
 * focuses:  privacy, coding-standards =>
 * resolution:   => invalid
 * severity:  critical => normal
 * milestone:  Awaiting Review =>


Comment:

 Hi @nayeeem

 Welcome to WordPress Trac!

 When creating this ticket you were shown a big **Do not report potential
 security vulnerabilities here.** warning. You even checked a checkbox that
 said " I am not reporting a security issue". Nevertheless you proceeded to
 create this ticket about a potential security vulnerability.

 Please do not do this! Be mindful next time about
 [https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/ reporting security vulnerabilities] and use
 [https://hackerone.com/wordpress our HackerOne program] instead.

 That being said, please note that users with Administrator or Editor roles
 are allowed to publish unfiltered HTML in post titles, post content, and
 comments, and upload HTML files to the media library. So what you are
 seeing is entirely expected behavior.

 If you are running security tests against WordPress, use a lesser
 privileged user so that all content is filtered. If you are concerned
 about an Administrator or Editor putting XSS into content and stealing
 cookies, note that all cookies are marked for HTTP only delivery, and are
 divided into privileged cookies used for admin pages, and unprivileged
 cookies used for public facing pages. Content is never displayed
 unfiltered within the admin dashboard.

 And again, if you ''do'' find a valid security issue, report it via
 HackerOne!

 Thanks for understanding.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49430#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list