#3516 closed defect (bug) (duplicate)
XSS in plugins.php
Reported by: | xknown | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | major | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
In the plugins's list, the metadata of a plugin is not validated correctly, because it allows to inject XSS through:
- Plugin Name
- Version
- Plugin URI
- Author
- Author URI
Actually it works even with unactive plugins, but IMHO, an unactive plugin shouldn't be allowed to do anything.
This problem relies on blog administrators's responsibility to see if the plugin comes from a trustable source or not.
PS. Sorry for my bad English.
Change History (2)
Note: See
TracTickets for help on using
tickets.
Duplicate of #3396