[wp-trac] [WordPress Trac] #60598: Cross-site Scripting (XSS) in wordpress core files

WordPress Trac noreply at wordpress.org
Thu Feb 22 09:45:38 UTC 2024


#60598: Cross-site Scripting (XSS) in wordpress core files
--------------------------+----------------------
 Reporter:  savannahj     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:  6.1.1
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |     Focuses:
--------------------------+----------------------
Changes (by swissspidy):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 Hi there and welcome to WordPress Trac,

 When you created this ticket, you were presented multiple notices about
 not reporting security issues on Trac. You should always
 [http://make.wordpress.org/core/handbook/reporting-security-
 vulnerabilities/ report potantial security issues] to the
 [https://hackerone.com/wordpress WordPress HackerOne program] instead.
 Please do not ignore these warnings next time.

 With that said, those warnings you shared are invalid / false positives.
 `get_users()` does not operate on any HTTP parameters as input. And the
 `wp_terms_checklist()` function is expected to echo the output like this,
 so that's working as intended.

 Please read through the above documentation if you use any such scanning
 tool and manually verify issues reported by such tools and include a valid
 proof of concept when reporting via HackerOne.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60598#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list