-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Curiously we had the same problem when we tried to communicate to
Wordpress the vulnerability CVE-2014-9034
(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034). We
tried, repeatedly, to contact WP through HackerOne and email, but did
not r
"We also welcome bug reports for the open source projects WordPress,
BuddyPress, and bbPress."
Oh, I see. I was mistaken.
On Mon, Apr 27, 2015 at 4:51 PM, Ryan Dewhurst
wrote:
> They're registered as part of Automattic -
> https://hackerone.com/automattic
>
> On Mon, Apr 27, 2015 at 10:41 PM, S
They're registered as part of Automattic - https://hackerone.com/automattic
On Mon, Apr 27, 2015 at 10:41 PM, Scott Arciszewski
wrote:
> The author added a note on his page: http://klikki.fi/adv/wordpress2.html
>
> Also, searching HackerOne does not reveal a public WordPress program, only
> WP-A
Am 27.04.2015 um 16:55 schrieb Hanno Böck :
> As there is still no fix from upstream I created a quick'n'dirty fix
> for it:
> https://gist.github.com/hannob/a07f7b7e196c75c4c1a8
> https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff
>
Looks like the WP team published an official fix:
ht
The author added a note on his page: http://klikki.fi/adv/wordpress2.html
Also, searching HackerOne does not reveal a public WordPress program, only
WP-API. Does this mean that WordPress was privately participating in
HackerOne for select hackers? If so, revealing that publicly is kind of
rude. :(
On Mon, Apr 27, 2015 at 8:55 AM, Anthony Ferrara
wrote:
> Just for clarification, was the project given a chance to fix this or
> notified in any way prior to public announcement?
>
Apparently WordPress completely ignored all of their notification attempts.
Klikki just added this paragraph to th
Just for clarification, was the project given a chance to fix this or
notified in any way prior to public announcement?
On Sun, Apr 26, 2015 at 4:13 PM, Jouko Pynnonen wrote:
> *Overview*
> Current versions of WordPress are vulnerable to a stored XSS. An
> unauthenticated attacker can inject Java
As there is still no fix from upstream I created a quick'n'dirty fix
for it:
https://gist.github.com/hannob/a07f7b7e196c75c4c1a8
https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff
It certainly doesn't comply with any coding style or anything :-) but it
should protect you for now.
--
Ha
Using MySQL column truncation to trick an XSS past their filter... clever.
I never would have thought to do that. :)
On Sun, Apr 26, 2015 at 4:13 PM, Jouko Pynnonen wrote:
> *Overview*
> Current versions of WordPress are vulnerable to a stored XSS. An
> unauthenticated attacker can inject JavaSc
*Overview*
Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.
If triggered by a logged-in administrator, under default settings the
attacker can leverage the vuln
10 matches
Mail list logo
