One of the test I try is the HTML everything test. I try every HTML tag to see if any show up in the response. This gives an idea on what tags could be used for injection techniques.
I narrowed it down to these tags but could not get a xss condition, that was not filtered.
But XSS is possible if it is directly put into the database as shown below.
So, if an attacker could gain access to the database the possibility to inject XSS is there due to the fact that WordPress does not sanitize the data presented to the browser.
No comments:
Post a Comment