[plugin search-log] XSS vulnerability

  • The plugin search log has a XSS vulnerability.

    If a search is done using <script>alert(\'0wn3d\')</script> it is active on the admin side search log page.

    Not cool.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter islandcastaway

    (@islandcastaway)

    Need to change line #25:

    $search_term = urldecode( $_GET['s'] );

    to

    `$search_term = wp_specialchars($_GET[‘s’], 1); ‘

    Thread Starter islandcastaway

    (@islandcastaway)

    Also change line #23

    $search_term = urldecode( substr( $_SERVER['REQUEST_URI'], $index + strlen( '/search/' ) ) );

    to
    $search_term = wp_specialchars( substr( $_SERVER['REQUEST_URI'], $index + strlen( '/search/' ) ),1 );

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[plugin search-log] XSS vulnerability’ is closed to new replies.