Closed
Bug 771315
Opened 13 years ago
Closed 13 years ago
WP Plugin Simple-embed-Code - Fix XSS Before Adding to Hacks Blog
Categories
(Developer Engagement :: Mozilla Hacks, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mfuller, Assigned: mfuller)
References
Details
(Keywords: wsec-xss)
During a security review of the simple embed code plugin for the hacks blog (bug 771050), I found an XSS vulnerability in the "search" admin page. This is executed using a link such as:
http://site.com/wp-admin/admin.php?page=ace-search&suffix="/><script>alert(1);</script>
Although behind the login page, this link could be sent to a blog author or clicked on by one causing the code to execute.
I've contacted the developer of this plugin.
This blocks the installation of the plugin.
Assignee | ||
Comment 1•13 years ago
|
||
The developer has replied and updated the plugin to version 2.0.2 which fixes the XSS issue. I am marking this bug resolved.
--Developer Email--
Hi Matt,
The plugin has been updated and is live in the WordPress.org repository - version 2.0.2.
Let me know if there are any issues and, naturally, if there's any further functionality that your developers would like to see it cover please feel free to contact me.
Kind regards,
David Artiss.
http://www.artiss.co.uk
Assignee: nobody → mfuller
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
Updated•12 years ago
|
Version: Firefox 6 → unspecified
Comment 2•12 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•8 years ago
|
Product: Mozilla Developer Network → Developer Engagement
You need to log in
before you can comment on or make changes to this bug.
Description
•