XSS Vulnerability | ww.wp.xz.cn

Resolved KTS915
(@kts915)

10 years, 11 months ago

I see that there is an instance of add_query_arg() in line 230 of includes/class-post-hit-counter-settings.php and one of remove_query_arg() on line 232 of the same file.

Do they need to be escaped because of this vulnerability?

https://ww.wp.xz.cn/plugins/post-hit-counter/

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Hugh Lashbrooke
(@hlashbrooke)

10 years, 11 months ago

Thanks for bringing this up – it does indeed need to be fixed and I have just patched it in the latest release of the plugin (v1.3.2).

To be fair, however, those URLs are only accessible to logged in administrators, so even without this patch it’s highly unlikely that this would have ever caused a problem 🙂

Thanks,
Hugh

Thread Starter KTS915
(@kts915)

10 years, 11 months ago

I did wonder about that. Thanks for doing this!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘XSS Vulnerability’ is closed to new replies.

2 replies
2 participants
Last reply from: KTS915
Last activity: 10 years, 11 months ago
Status: resolved