WordPress.com Forums » Topic: URL parameters vulnerable to script injection? http://en.forums.wordpress.com/topic/url-parameters-vulnerable-to-script-injection WordPress.com Forums » Topic: URL parameters vulnerable to script injection? en Fri, 24 May 2013 11:37:34 +0000 http://bbpress.org/?v=1.1-alpha-2539 supportbot on "URL parameters vulnerable to script injection?" http://en.forums.wordpress.com/topic/url-parameters-vulnerable-to-script-injection#post-1028657 Wed, 03 Oct 2012 03:02:09 +0000 supportbot 1028657@http://en.forums.wordpress.com/ You did not specify a blog address or reason for posting when you created this topic.

This support forum is for blogs hosted at WordPress.com. If your question is about a self-hosted WordPress blog then you'll find help at the WordPress.org forums.

If you don't understand the difference between WordPress.com and WordPress.org, you may find this information helpful.

If you forgot to include a link to your blog, you can reply and include it below. It'll help people to answer your question.

This is an automated message.

]]> bethfreeman on "URL parameters vulnerable to script injection?" http://en.forums.wordpress.com/topic/url-parameters-vulnerable-to-script-injection#post-1028656 Wed, 03 Oct 2012 03:02:09 +0000 bethfreeman 1028656@http://en.forums.wordpress.com/ Hi, I paid for a security review of my wordpress blog and one of the items it came back with is a vulnerability to "extended injection" through URL parameters.

For instance, if you append a parameter to the end of a URL, like this:
http://examplewordpresssite.com/2011/1051/?D=%00qkoikf

Then the D parameter gets carried into other URLs on the page, like previous and next entries, comment links, and others.

Is the wordpress team aware of this? Is this a major issue I should be concerned about?

Thanks,

Elisabeth

]]>