Title: Will there be a Security Patch?
Last modified: October 21, 2023

---

# Will there be a Security Patch?

 *  [Aaron Kittredge](https://wordpress.org/support/users/kittyridge/)
 * (@kittyridge)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/will-there-be-a-security-patch/)
 * Are there plans to patch this plugin or no? I’d like to know so I can plan accordingly.
 * Thanks
   Problem:The Add Custom Body Class plugin for WordPress is vulnerable to
   Stored Cross-Site Scripting via the ‘add_custom_body_class’ value in versions
   up to, and including, 1.4.1 due to insufficient input sanitization and output
   escaping. This makes it possible for authenticated attackers, with contributor-
   level access and above, to inject arbitrary web scripts in pages that will execute
   whenever a user accesses an injected page.

Viewing 1 replies (of 1 total)

 *  Thread Starter [Aaron Kittredge](https://wordpress.org/support/users/kittyridge/)
 * (@kittyridge)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/will-there-be-a-security-patch/#post-17141096)
 * In case this helps, I tried making the following changes to the code:
 * In the save_custom_body_class_post_meta_boxes function, I added the $post_id 
   parameter and sanitized the input using sanitize_text_field to prevent XSS.
   In
   the add_custom_body_class_box function, I used esc_attr to escape the value when
   displaying it in the input field.In the add_custom_field_body_class function,
   I used esc_attr to escape the custom body class before adding it to the classes
   array.I think these changes should help prevent the stored XSS vulnerability 
   in the plugin, but I’m not 100% sure:
 *     ```wp-block-code
       <?php
       /**
        * Plugin Name: Add Custom Body Class
        * Author: Anil Ankola
        * Version: 1.4.1
        * Description: Use this plugin to add a custom class in the HTML body tag.
        * Text Domain: add-custom-body-class
        */
       if (!defined('ABSPATH')) exit; // Prevent Direct Browsing
   
       // Add Custom meta box
       function add_custom_body_class_post_meta_boxes()
       {
           $screens = get_post_types();
           foreach ($screens as $screen) {
               add_meta_box('add_custom_body_class_box', 'Add Custom Body Class', 'add_custom_body_class_box', $screen, 'side', 'default');
           }
       }
       add_action("admin_init", "add_custom_body_class_post_meta_boxes");
   
       function save_custom_body_class_post_meta_boxes($post_id)
       {
           if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {
               return;
           }
           if (get_post_status($post_id) === 'auto-draft') {
               return;
           }
   
           // Sanitize the input
           $custom_body_class = sanitize_text_field($_POST["add_custom_body_class"]);
   
           update_post_meta($post_id, "add_custom_body_class", $custom_body_class);
       }
       add_action('save_post', 'save_custom_body_class_post_meta_boxes');
   
       function add_custom_body_class_box($post)
       {
           $get_class_value = get_post_custom($post->ID);
   
           // Initialize the value with an empty string
           $add_custom_body_class = '';
   
           if (isset($get_class_value['add_custom_body_class'][0])) {
               $add_custom_body_class = $get_class_value['add_custom_body_class'][0];
           }
           ?>
           <input type="text" id="add_custom_body_class" name="add_custom_body_class" value="<?php echo esc_attr($add_custom_body_class); ?>">
           <?php
       }
   
       // Display body class function
       add_filter('body_class', 'add_custom_field_body_class');
       function add_custom_field_body_class($classes)
       {
           if (function_exists('is_shop') && is_shop()) {
               $post_id = get_option('woocommerce_shop_page_id');
           } elseif (is_home()) {
               $post_id = get_option('page_for_posts');
           } else {
               $post_id = get_the_ID();
           }
   
           // Get the custom body class and escape it
           $show_body_class = get_post_meta($post_id, 'add_custom_body_class', true);
           if ($show_body_class) {
               $classes[] = esc_attr($show_body_class);
           }
   
           // Return the $classes array
           return $classes;
       }
       ```
   

Viewing 1 replies (of 1 total)

The topic ‘Will there be a Security Patch?’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/add-custom-body-class_000000.svg)
 * [Add Custom Body Class](https://wordpress.org/plugins/add-custom-body-class/)
 * [Support Threads](https://wordpress.org/support/plugin/add-custom-body-class/)
 * [Active Topics](https://wordpress.org/support/plugin/add-custom-body-class/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/add-custom-body-class/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/add-custom-body-class/reviews/)

 * 2 replies
 * 1 participant
 * Last reply from: [Aaron Kittredge](https://wordpress.org/support/users/kittyridge/)
 * Last activity: [2 years, 7 months ago](https://wordpress.org/support/topic/will-there-be-a-security-patch/#post-17141096)
 * Status: not resolved