Make WordPress Core

Opened 16 years ago

Closed 16 years ago

Last modified 16 years ago

#3516 closed defect (bug) (duplicate)

XSS in plugins.php

Reported by: xknown's profile xknown Owned by:
Milestone: Priority: high
Severity: major Version:
Component: Security Keywords:
Focuses: Cc:


In the plugins's list, the metadata of a plugin is not validated correctly, because it allows to inject XSS through:

  • Plugin Name
  • Version
  • Plugin URI
  • Author
  • Author URI

Actually it works even with unactive plugins, but IMHO, an unactive plugin shouldn't be allowed to do anything.

This problem relies on blog administrators's responsibility to see if the plugin comes from a trustable source or not.

PS. Sorry for my bad English.

Change History (2)

#1 @Viper007Bond
16 years ago

  • Keywords xss plugins removed
  • Milestone 2.2 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #3396

#2 @Viper007Bond
16 years ago

This was fixed in 2.1 BTW.

Note: See TracTickets for help on using tickets.