WordPress.org

Make WordPress Core

Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#3516 closed defect (bug) (duplicate)

XSS in plugins.php

Reported by: xknown Owned by:
Milestone: Priority: high
Severity: major Version:
Component: Security Keywords:
Focuses: Cc:

Description

In the plugins's list, the metadata of a plugin is not validated correctly, because it allows to inject XSS through:

  • Plugin Name
  • Version
  • Plugin URI
  • Author
  • Author URI

Actually it works even with unactive plugins, but IMHO, an unactive plugin shouldn't be allowed to do anything.

This problem relies on blog administrators's responsibility to see if the plugin comes from a trustable source or not.

PS. Sorry for my bad English.

Change History (2)

#1 @Viper007Bond
14 years ago

  • Keywords xss plugins removed
  • Milestone 2.2 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #3396

#2 @Viper007Bond
14 years ago

This was fixed in 2.1 BTW.

Note: See TracTickets for help on using tickets.