Urgent Security Flaw | ww.wp.xz.cn

Resolved John
(@pcarrell)

9 years, 10 months ago

The Ad inserter plugin doesn’t escape user input so some of the code that I’m adding gets executed directly in the browser.

To replicate:-
1) Go to a new tab to add some new code
2) Add “</textarea><p>This is not secure!</p>” as the ad code
3) Save all settings
4) Reload the page

Result:- The code I’ve just added is executed directly in the page and is not editable. See example screenshot:- http://scr.hu/76g8/jmb3y

Expected Result:- Input is escaped and only executed on the front end of the site

This is a security flaw that should be addressed.

https://ww.wp.xz.cn/plugins/ad-inserter/

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author Spacetime
(@spacetime)

9 years, 10 months ago

Thanks for this!

It will be fixed in the next version soon.

Plugin Author Spacetime
(@spacetime)

9 years, 10 months ago

Fixed in 1.6.7.

Thanks again for reporting this!

Thread Starter John
(@pcarrell)

9 years, 10 months ago

No prob. Thank you 🙂

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Urgent Security Flaw’ is closed to new replies.

3 replies
2 participants
Last reply from: John
Last activity: 9 years, 10 months ago
Status: resolved