[wp-trac] [WordPress Trac] #65221: Stored XSS issue – Script tag executes inside WordPress post Title
WordPress Trac
noreply at wordpress.org
Tue May 12 13:17:06 UTC 2026
#65221: Stored XSS issue – Script tag executes inside WordPress post Title
--------------------------+-----------------------------
Reporter: vivekawsm | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
A Stored XSS issue occurs when a <script>alert('test')</script> tag is
added inside the WordPress post title.
The script executes successfully on the frontend instead of being
sanitized or escaped.
Test Payload:
<script>alert('test')</script>
Environment
WordPress: 6.9.4
PHP: 8.5.3
Server: TasteWP-S6 Official/3.0.0 (nginx fork)
Database: mysqli (Server: 8.0.45-0ubuntu0.24.04.1 / Client: mysqlnd 8.5.3)
Browser: Firefox 150.0
OS: Windows 10/11
Theme: Twenty Twenty-Three 1.6
MU Plugins: None activated
Steps to Reproduce
Login to the WordPress admin dashboard.
Navigate to Posts → Add New.
Create a new post.
Add the following payload inside the Post Title field:
<script>alert('test')</script>
Add normal content inside the post body.
Publish the post.
Open the published post on the frontend.
Bug occurs — the JavaScript alert executes successfully.
Expected Results
The application should sanitize or escape <script> tags in the post
title.
JavaScript execution should be blocked.
The payload should display as plain text or be removed.
Actual Results
The <script> tag executes from the post title.
An alert popup appears on the frontend.
User-supplied JavaScript is rendered without sanitization
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65221>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list