Sidebars API - XSS or not XSS? #24863
Labels
[Feature] Widgets Screen
The block-based screen that replaced widgets.php.
[Type] New API
New API to be used by plugin developers or package users.
Projects
Let's talk about the experimental
/__experimental/sidebars
API endpoint.As initially discovered in an unrelated issue, it is possible to send a POST request like:
And store a script that will be executed when the widget is rendered.
Initially I considered it to be a vulnerability, but then I tested
widgets.php
and discovered it exhibits the exact same behavior. That's perhaps unsurprising, considering that experimental endpoint reuses the exact same code:The endpoint access is restricted to administrators and editors who, by design, are allowed to use custom scripts. Therefore it seems to me like it's not a bug, it's a feature. What do you think @draganescu @noisysocks @TimothyBJacobs ?
The text was updated successfully, but these errors were encountered: