2 vanilla XSS on Wordpress ‘wp-register.php’ by Adrian Pastor in News, WordPress | There are two vanilla XSS on ‘wp-register.php’. Only early versions of the 2.0 branch are affected. Version 2.0 is vulnerable through the ‘user_login’ and ‘user_email’ parameters. Version 2.0.1 filters the ‘user_login’ parameter but is still vulnerable through the ‘user_email’ parameter (half-baked fix?). The XSS is only exploitable through a ‘POST’ request. WordPress 2.0.4 is not vulnerable, so I’m assuming anything after this is not vulnerable either (unless there is a comeback of course). Note: user registration is disabled by default. Only sites with ‘user registration’ enabled are affected. line 16 and 17 on version 2.0.1 : $user_login = sanitize_user( $_POST[’user_login’] ); $user_email = $_POST[’user_email’]; we can notice that ‘user_login’ is sanitized but ‘user_email’ is not and eventually gets printed without further filtering on line 114: I contacted the vendor and asked them if these issues had been fixed silently since I couldn’t find them documented anywhere (even though they had been fixed from version 2.0.4 on). However, I got NO response from the vendor whatsoever. simple PoC: will popup ‘1′ and ‘2′ on version 2.0, and only ‘2′ on version 2.0.1. cookie theft PoC: unrestricted script insertion from third-party site (we prove we can inject ANY JS):