[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [FD] WordPress 4.2 stored XSS
From:       C0r3dump3d <coredump () autistici ! org>
Date:       2015-04-28 7:48:09
Message-ID: 553F3B39.8080800 () autistici ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Curiously we had the same problem when we tried to communicate to
Wordpress the vulnerability CVE-2014-9034
(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034). We
tried, repeatedly, to contact WP through HackerOne and email, but did
not respond. Only through the intervention of the CERT/CC, and last
about six months they showed the necessary interest.


Andres.


El 27/04/15 a las 23:33, Winni Neessen escribió:
> Am 27.04.2015 um 16:55 schrieb Hanno Böck <hanno@hboeck.de>:
> 
>> As there is still no fix from upstream I created a quick'n'dirty
>> fix for it: https://gist.github.com/hannob/a07f7b7e196c75c4c1a8 
>> https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff
>> 
> 
> Looks like the WP team published an official fix: 
> https://wordpress.org/news/2015/04/wordpress-4-2-1/
> <https://wordpress.org/news/2015/04/wordpress-4-2-1/>
> 
> "A few hours ago, the WordPress team was made aware of a
> cross-site scripting vulnerability, which could enable commenters
> to compromise a site. The vulnerability was discovered by Jouko
> Pynnönen.“
> 
> 
> Winni
> 
> 
> 
> 
> _______________________________________________ Sent through the
> Full Disclosure mailing list 
> https://nmap.org/mailman/listinfo/fulldisclosure Web Archives &
> RSS: http://seclists.org/fulldisclosure/
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVPzs5AAoJEB3Mh7ZpWLvITBsQAIVjSQ5Yf2EnbkGMql8uL2h2
AzafSd1LSwaw4RuhGLd7VZ6OXVWtvHqxkJkm2cXc6X02HKBRcsMY3MsU3cQyVOzV
tE8vTxI0tOGtcwSi77OdDmT1KDJ4Xiw+G6PFiFjP+iOHnhIfUJzOWfuF9MwxNM7I
IXGv66XROXzkdyLvVsjsK5CZzO3Robjp4YOgfIXRwPYbr7N+TNbqDEO8427goA5o
63P0nAtnbD9pp/bQ6vewSiad/GBpQlMsOZAFcaC9O0RkzerZIwG2FGh+1scVTKzS
SSE0J13kq9KXkG1R9v4j4vNba78NXlaew58jd86GN7Ml0WPuVbfI9DiXYc8n6Lfx
4qYUw3XXbRqoZ5lhFupKNzLNrvmP0QIHPnF8OnORS51RVWPEsj3IEKyQDV5yqx77
FE79/zwCvQNnv68SrOmpyIUjfh5Daglbiel/jCj+s1EoxwXSozHz4Qk+zrASXkRv
n6UCX48//O3MLJ9nbhOU66oDDv5quxa2S8axbk+oBUt43sLV0xDleEHqJK/mTUXR
hZbk5suRKH4P9XGPYBU077h3rSU6/c+j7xt9UflGt84Mhw4cPu1CsYFksmlXwiTh
mqSLBNNmj8MIJ7PD8fuprcYs5TIEVflRhcbyejfFky5gM1HO+q5gkumK2NtKj7M6
mQSvSnW9CIWXyBfDAXGL
=poHS
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]