[wp-trac] [WordPress Trac] #3516: XSS in plugins.php
WordPress Trac
wp-trac at lists.automattic.com
Tue Jan 2 01:01:08 GMT 2007
#3516: XSS in plugins.php
----------------------+-----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.2
Component: Security | Version:
Severity: major | Keywords: xss, plugins
----------------------+-----------------------------------------------------
In the plugins's list, the metadata of a plugin is not validated
correctly, because it allows to inject XSS through:
* Plugin Name
* Version
* Plugin URI
* Author
* Author URI
Actually it works even with unactive plugins, but IMHO, an unactive plugin
shouldn't be allowed to do anything.
This problem relies on blog administrators's responsibility to see if the
plugin comes from a trustable source or not.
PS. Sorry for my bad English.
--
Ticket URL: <http://trac.wordpress.org/ticket/3516>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list