Full Disclosure mailing list archives

Re: WordPress 4.2 stored XSS

From: Fyodor <fyodor () nmap org>
Date: Mon, 27 Apr 2015 13:37:41 -0700

On Mon, Apr 27, 2015 at 8:55 AM, Anthony Ferrara <ircmaxell () gmail com>
wrote:

Just for clarification, was the project given a chance to fix this or
notified in any way prior to public announcement?


Apparently WordPress completely ignored all of their notification attempts.
Klikki just added this paragraph to the online version of their advisory (
http://klikki.fi/adv/wordpress2.html):

"WordPress has refused all communication attempts about our ongoing
security vulnerability cases since November 2014. We have tried to reach
them by email, via the national authority (CERT-FI), and via HackerOne. No
answer of any kind has been received since November 20, 2014. According to
our knowledge, their security response team have also refused to respond to
the Finnish communications regulatory authority who has tried to coordinate
resolving the issues we have reported, and to staff of HackerOne, which has
tried to clarify the status our open bug tickets."

Sigh,
Fyodor

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

WordPress 4.2 stored XSS Jouko Pynnonen (Apr 26)
- Re: WordPress 4.2 stored XSS Scott Arciszewski (Apr 26)
- Re: WordPress 4.2 stored XSS Hanno Böck (Apr 27)
  - Re: WordPress 4.2 stored XSS Winni Neessen (Apr 27)
    - Re: WordPress 4.2 stored XSS C0r3dump3d (Apr 28)
- Re: WordPress 4.2 stored XSS Anthony Ferrara (Apr 27)
  - Re: WordPress 4.2 stored XSS Fyodor (Apr 27)
  - Re: WordPress 4.2 stored XSS Scott Arciszewski (Apr 27)
    - Re: WordPress 4.2 stored XSS Ryan Dewhurst (Apr 27)
    - Re: WordPress 4.2 stored XSS Scott Arciszewski (Apr 27)