[wp-forums] moderated security thread

Peter Westwood peter.westwood at ftwr.co.uk
Thu Jun 24 18:15:36 UTC 2010


On 24 Jun 2010, at 15:16, James Huff wrote:

> I reported it to the security email, included the view all link, and deleted the topic to remove it from public view.
> 
> It wouldn't hurt if someone else reported it too. "The squeaky wheel gets the grease."
> 
> ________
> James Huff
> http://www.macmanx.com
> http://programnotes.wikia.com
> 
> On Jun 24, 2010, at 6:30 AM, mrmist <listswptesters at mist.org.uk> wrote:
> 
>> Hi folk
>> 
>> I noticed that this thread http://wordpress.org/support/topic/414556?replies=3&view=all was moderated out. Was it a red herring, or if not a red herring did whoever moderated it out report the issue?  Just wanting to make sure it's properly dealt with if it is a real risk.
>> 

Not seen the email to security@ it may have got lost in the spam noise though.

This reads very much like the standard report of XSS issues which are only present when you are logged in as an admin as you are inherently a trusted user.

The place to to point the user is this FAQ entry - http://codex.wordpress.org/Security_FAQ#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F

Then ask them to report to security@ if they find a real issue using a non-admin / editor user

Cheers
-- 
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5



More information about the wp-forums mailing list