XSS Vulnerability

  • Resolved amarie

    (@tuesdave)


    10 years, 6 months ago

    Hello. I had a security audit done in my website and they found a slight vulnerability in your plugin

    Location: json-rest-api/lib/class-wp-json-server.php Line 298

    echo '/**/' . $_GET['_jsonp'] . '(' . $result . ')';

    The identified code returns untrusted input from the user and renders it on a webpage without any validation.

    All data originating from user input and displayed in the user’s browser should be properly encoded/escaped depending on the context in which that data is displayed (e.g. HTML tags, attributes, javascript).

    Are there any plans to patch this in the near future? Otherwise I’d need to maintain this myself.

    Thank you!

    https://ww.wp.xz.cn/plugins/json-rest-api/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter amarie

    (@tuesdave)

    10 years, 6 months ago

    I apologize for posting a vulnerability to this public forum. I have since discovered the term ‘responsible disclosure’ and will practice it henceforth.

    Any update on this?

    Thanks

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    10 years, 6 months ago

    If you believe you’ve found a security issue with the plugin, please email [email protected] and it will be dealt with accordingly. Public support forums are not the appropriate venue for reporting or discussing possible security issues.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘XSS Vulnerability’ is closed to new replies.

Tags