Cross-site Scripting Fix

  • Resolved Sean Donovan

    (@mrsdonovan)


    1 year, 1 month ago

    I realize the plugin is not available for download, is over a decade old and the original coder’s URL is dead, but I like this plugin and it just works, as it has for a decade.

    I tested the exploit as written up:

    <your URL>/wp-content/plugins/auto-thickbox-plus/download.min.php?file=%3Cscript%3Ealert%281%29%3C/script%3E

    And sure enough the code executes.

    If you go into the settings of Auto Thickbox Plus, it turns out the that “download the image” was a beta feature and probably should not have been released with production code. The hard way to fix this is to submit download.min.php to ChatGPT v4.0 and it will fix the code for you. I tested the code it generated and the file URL above doesn’t execute. After doing that I realized you can simply remove line 156 from auto-thickbox.php where it uses download.min.php, then delete download.min.php!

    Problem solved. Another decade of use! Much thanks to “ethicalhack3r” for pointing out the problem.

    The page I need help with: [log in to see the link]

  • The topic ‘Cross-site Scripting Fix’ is closed to new replies.