Wordpress Comment XSS Vulnerability




WordPress Comment is allowing all HTML tags including <script> tag and it is very vulnerable to XSS attack.

We normally use wp_list_comments function to list out all comments and according to Wordpress Unit test data we need to allow almost all tags on the comments ( ex. http://wptest.io/demo/comments/comment-page-1/#comments )

It also runs javascript code and isn’t it dangerous.

Any suggestion regarding this?


WP shouldn’t be affected as WP has functions in place to strip out XSS stuff (using esc_raw and esc_html etc) but if you think there is an issue then test it on a demo site, if you can show a working example then email security@wordpress.org and they will look into the issue.