Ticket #3516 (closed defect: duplicate)

Opened 2 years ago

Last modified 2 years ago

XSS in plugins.php

Reported by: xknown Assigned to: anonymous
Priority: high Milestone:
Component: Security Version:
Severity: major Keywords:
Cc:

Description

In the plugins's list, the metadata of a plugin is not validated correctly, because it allows to inject XSS through:

  • Plugin Name
  • Version
  • Plugin URI
  • Author
  • Author URI

Actually it works even with unactive plugins, but IMHO, an unactive plugin shouldn't be allowed to do anything.

This problem relies on blog administrators's responsibility to see if the plugin comes from a trustable source or not.

PS. Sorry for my bad English.

Change History

01/02/07 01:50:51 changed by Viper007Bond

  • keywords deleted.
  • status changed from new to closed.
  • resolution set to duplicate.
  • milestone deleted.

Duplicate of #3396

01/02/07 01:54:38 changed by Viper007Bond

This was fixed in 2.1 BTW.