[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Wed Jul 30 06:37:37 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
-------------------------------------------------------------------+--------
Reporter: guillep2k | Owner: guillep2k
Type: defect | Status: reopened
Priority: high | Milestone: 2.6.1
Component: Security | Version: 2.6
Severity: critical | Resolution:
Keywords: exploit security has-patch dev-feedback tested commit |
-------------------------------------------------------------------+--------
Comment (by westi):
Replying to [comment:34 DD32]:
> > There is a small XSS issue when showing plugin's name
>
> While it displays the plugins filename rather than "Plugin Name" I guess
you're saying that it could include html in the active_plugins option?
Indeed if someone has inserted something into active_plugins it could be
anything so we should def protect against this.
Good catch xknown once again :-)
--
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:35>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list