Skip to:
Content

bbPress.org

Opened 6 months ago

Closed 6 months ago

#3374 closed defect (fixed)

Self XSS possible in admin-area list-table Forum description

Reported by: johnjamesjacoby Owned by: johnjamesjacoby
Milestone: 2.6.5 Priority: high
Severity: minor Version: 2.1
Component: General - Administration Keywords:
Cc:

Description

When a user with the unfiltered_html capability (Admin or Editor role, traditionally) enters a Forum description via WordPress Admin, their HTML is rendered raw inside the admin-area list-table UI.

I'm considering this not to be a security issue, as privileged users (Admins, Editors, Keymasters, and Moderators) are trusted to understand the consequences of actions such as this one. In this case, they would already have access to these admin-area screens and form fields, and are trusted to modify them.

That being said, this behavior does not match how other admin-area list-tables behave – they intentionally escape this content in an excerpt format, so Forums should as well.

This finding was reported to the WordPress Security Team through the HackerOne bug bounty program.

Patch imminent.

Attachments (1)

3374.patch (761 bytes) - added by johnjamesjacoby 6 months ago.
Escape & excerpt Forum description in admin-area list-table

Download all attachments as: .zip

Change History (5)

@johnjamesjacoby
6 months ago

Escape & excerpt Forum description in admin-area list-table

#1 @johnjamesjacoby
6 months ago

In 7084:

Forums: Escape forum descriptions in admin-area list tables.

This commit ensures that HTML is not rendered where it is not intended to be, most important to users having the unfiltered_html capability.

Props binit.

In trunk, for 2.7.0.

See #3374.

#2 @johnjamesjacoby
6 months ago

In 7085:

Forums: Escape forum descriptions in admin-area list tables.

This commit ensures that HTML is not rendered where it is not intended to be, most important to users having the unfiltered_html capability.

Props binit.

In branches/2.6, for 2.6.5.

See #3374.

#3 @johnjamesjacoby
6 months ago

  • Milestone changed from 2.6.5 to 2.6.6

#4 @johnjamesjacoby
6 months ago

  • Milestone changed from 2.6.6 to 2.6.5
  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in 2.6.5.

Note: See TracTickets for help on using tickets.