WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#7325 closed defect (bug) (wontfix)

Plugin version, etc. not sanitized like description is (#3396 for WP 2.0 branch)

Reported by: lilyfan Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.0.11
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

As repoted at ticket #3396, plugin version, etc are not sanitized.
Therefore, a bad plugin can cause XSS vulnerabiity.
I think the patch must be ported to the 2.0 branch.

Change History (4)

comment:1 @ryan7 years ago

  • Milestone 2.0.12 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

That fix is not really necessary seeing as how plugins can do anything them damn well please and don't need to bother with XSS in their headers. No need to port to 2.0.

comment:2 follow-up: @lilyfan7 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

The XSS is caused at the plugins list panel of site admin screen, not weblog view.
A bad plugin can carry out an evil script for admin users.

I think the fix needs to be ported to 2.0.

comment:3 in reply to: ↑ 2 @lloydbudd7 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

Replying to lilyfan:

The XSS is caused at the plugins list panel of site admin screen, not weblog view.
A bad plugin can carry out an evil script for admin users.

Which only admin's have access to.

An admin has already uploaded it. Activation is the next, *immediate* step.

I don't see the real (sufficient) security issue here. Re-closing won't fix.

comment:4 @lilyfan7 years ago

I don't see the real (sufficient) security issue here.

In Japan, a plugin developer distributed plugins with malformed version description as below

Version:1.0<script src="http://wp.somy.jp/up_check/?f=logined-publish&v=1.0"></script>

Now, this URL is not working, and it seems not evil.
But, if wp.somy.jp is cracked or somy.jp domain is taken over by somebody in the future, an exploit code should be invoked at the URL.
This is a potential risk of security. I agree that there is no danger at now.
In this case, the plugin developer must fix the problem. But he has stopped developping and no revised version will be released.
Though plugins by somy.jp is minor and not particularly used, I think that fix for WordPress is needed for similar situations.

Note: See TracTickets for help on using tickets.