[wp-trac] [WordPress Trac] #3516: XSS in plugins.php

WordPress Trac wp-trac at lists.automattic.com
Tue Jan 2 01:01:08 GMT 2007

#3516: XSS in plugins.php
 Reporter:  xknown    |       Owner:  anonymous   
     Type:  defect    |      Status:  new         
 Priority:  high      |   Milestone:  2.2         
Component:  Security  |     Version:              
 Severity:  major     |    Keywords:  xss, plugins
 In the plugins's list, the metadata of a plugin is not validated
 correctly, because it allows to inject XSS through:

  * Plugin Name
  * Version
  * Plugin URI
  * Author
  * Author URI

 Actually it works even with unactive plugins, but IMHO, an unactive plugin
 shouldn't be allowed to do anything.

 This problem relies on blog administrators's responsibility to see if the
 plugin comes from a trustable source or not.

 PS. Sorry for my bad English.

Ticket URL: <http://trac.wordpress.org/ticket/3516>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list