-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 take a look at http://codex.wordpress.org/Roles_and_Capabilities By design the administrator can post anything ... even js/html ciri@xxxxxxxxxx wrote: > If you're logged in into wordpress as an admin, your comments aren't properly sanitized, thus allowing an XSS to be posted. This can be exploited using XSRF techniques. > > More info & PoC: http://www.virtuax.be/advisories/Advisory4-20022007.txt - -- Regards Vladimir Vitkov Operations Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF7SZYoiOVExCFVC0RAgMfAKC62x+mbjzHlhTEQn3QZg9IIyJokgCgmf9w G2DDt/YPlrn22KDNzWGbJx4= =UJPB -----END PGP SIGNATURE-----