Cross site scripting (XSS) adminajax.php
-
Hi guys,
Recently a site i delivered for a client had to go through Acunetix Security Test. The final result brought back this alert. I am sorry if this answer has been answered before but i wasn’t able to find anything. I am sorry aswell i could not share the link for my web cause the client doesnt want to get it public before these alerts are removed.
Below is the full alert not.:
/wp-admin/adminajax. php <strong>Alert group Cross site scripting Severity High</strong> Description <strong>Cross-site Scripting (XSS)</strong> refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Recommendations Apply context-dependent encoding and/or validation to user input rendered on a page Alert variants Details URL encoded POST input atts[sk-options][monthly_view][sed_method] was set to 09945();}]9213 The input is reflected inside <script> tag. POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: https://smartkosova.rks-gov.net/ Cookie: comment_author_c1938278c4773c3d9e17d609a75b3d97=1; comment_author_email_c1938278c4773c3d9e17d609a75b3d97=sample%40email.tst; comment_author_url_c1938278c4773c3d9e17d609a75b3d97=http%3A%2F%2F1; wordpress_test_cookie=WP%20Cookie%20check; privacy_embeds=consent,tracking Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 21867 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like 6
Thank you so much in advance
- This topic was modified 3 years, 2 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Installing WordPress topic
-
That report is not useful to us without seeing the code, at least, not to me.
It barely tells me what the report is.
It should mention a line of code where the vulnerability supposedly exists, and then that code can be analysed and adequately corrected.You might want to hire an expert on this however, since security is a complex matter.
But of course the community here is happy to take a look if you can share the offending code, perhaps we have an idea or suggestion as of how to improve it.
It seems that something in the POSTed array either unescaped, or not encoded, not validated, not authorised, gets submitted and used as output.
But it is not clear to me at all what the code actually looks like.It seems also in your report some things got encoded? Perhaps you can make usage of 3 backticks when posting code in your follow up reply (
`) this helps delimiting code.
Sorry.
1. Here is the full link with what acunetix provided for this problem
– https://ibb.co/C2Q6Mvp
2. And here is the full code of /wp-admin/adminajax.php —— WP-ADMIN-AJAX—–
<?php /** * WordPress Ajax Process Execution * * @package WordPress * @subpackage Administration * * @link https://codex.www.ads-software.com/AJAX_in_Plugins */ /** * Executing Ajax process. * * @since 2.1.0 */ define( 'DOING_AJAX', true ); if ( ! defined( 'WP_ADMIN' ) ) { define( 'WP_ADMIN', true ); } /** Load WordPress Bootstrap */ require_once dirname( __DIR__ ) . '/wp-load.php'; /** Allow for cross-domain requests (from the front end). */ send_origin_headers(); header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) ); header( 'X-Robots-Tag: noindex' ); // Require an action parameter. if ( empty( $_REQUEST['action'] ) ) { wp_die( '0', 400 ); } /** Load WordPress Administration APIs */ require_once ABSPATH . 'wp-admin/includes/admin.php'; /** Load Ajax Handlers for WordPress Core */ require_once ABSPATH . 'wp-admin/includes/ajax-actions.php'; send_nosniff_header(); nocache_headers(); /** This action is documented in wp-admin/admin.php */ do_action( 'admin_init' ); $core_actions_get = array( 'fetch-list', 'ajax-tag-search', 'wp-compression-test', 'imgedit-preview', 'oembed-cache', 'autocomplete-user', 'dashboard-widgets', 'logged-in', 'rest-nonce', ); $core_actions_post = array( 'oembed-cache', 'image-editor', 'delete-comment', 'delete-tag', 'delete-link', 'delete-meta', 'delete-post', 'trash-post', 'untrash-post', 'delete-page', 'dim-comment', 'add-link-category', 'add-tag', 'get-tagcloud', 'get-comments', 'replyto-comment', 'edit-comment', 'add-menu-item', 'add-meta', 'add-user', 'closed-postboxes', 'hidden-columns', 'update-welcome-panel', 'menu-get-metabox', 'wp-link-ajax', 'menu-locations-save', 'menu-quick-search', 'meta-box-order', 'get-permalink', 'sample-permalink', 'inline-save', 'inline-save-tax', 'find_posts', 'widgets-order', 'save-widget', 'delete-inactive-widgets', 'set-post-thumbnail', 'date_format', 'time_format', 'wp-remove-post-lock', 'dismiss-wp-pointer', 'upload-attachment', 'get-attachment', 'query-attachments', 'save-attachment', 'save-attachment-compat', 'send-link-to-editor', 'send-attachment-to-editor', 'save-attachment-order', 'media-create-image-subsizes', 'heartbeat', 'get-revision-diffs', 'save-user-color-scheme', 'update-widget', 'query-themes', 'parse-embed', 'set-attachment-thumbnail', 'parse-media-shortcode', 'destroy-sessions', 'install-plugin', 'update-plugin', 'crop-image', 'generate-password', 'save-wporg-username', 'delete-plugin', 'search-plugins', 'search-install-plugins', 'activate-plugin', 'update-theme', 'delete-theme', 'install-theme', 'get-post-thumbnail-html', 'get-community-events', 'edit-theme-plugin-file', 'wp-privacy-export-personal-data', 'wp-privacy-erase-personal-data', 'health-check-site-status-result', 'health-check-dotorg-communication', 'health-check-is-in-debug-mode', 'health-check-background-updates', 'health-check-loopback-requests', 'health-check-get-sizes', 'toggle-auto-updates', 'send-password-reset', ); // Deprecated. $core_actions_post_deprecated = array( 'wp-fullscreen-save-post', 'press-this-save-post', 'press-this-add-category', 'health-check-dotorg-communication', 'health-check-is-in-debug-mode', 'health-check-background-updates', 'health-check-loopback-requests', ); $core_actions_post = array_merge( $core_actions_post, $core_actions_post_deprecated ); // Register core Ajax calls. if ( ! empty( $_GET['action'] ) && in_array( $_GET['action'], $core_actions_get, true ) ) { add_action( 'wp_ajax_' . $_GET['action'], 'wp_ajax_' . str_replace( '-', '_', $_GET['action'] ), 1 ); } if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_post, true ) ) { add_action( 'wp_ajax_' . $_POST['action'], 'wp_ajax_' . str_replace( '-', '_', $_POST['action'] ), 1 ); } add_action( 'wp_ajax_nopriv_generate-password', 'wp_ajax_nopriv_generate_password' ); add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 ); $action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : ''; if ( is_user_logged_in() ) { // If no action is registered, return a Bad Request response. if ( ! has_action( "wp_ajax_{$action}" ) ) { wp_die( '0', 400 ); } /** * Fires authenticated Ajax actions for logged-in users. * * The dynamic portion of the hook name, <code>$action</code>, refers * to the name of the Ajax action callback being fired. * * @since 2.1.0 */ do_action( "wp_ajax_{$action}" ); } else { // If no action is registered, return a Bad Request response. if ( ! has_action( "wp_ajax_nopriv_{$action}" ) ) { wp_die( '0', 400 ); } /** * Fires non-authenticated Ajax actions for logged-out users. * * The dynamic portion of the hook name, <code>$action</code>, refers * to the name of the Ajax action callback being fired. * * @since 2.8.0 */ do_action( "wp_ajax_nopriv_{$action}" ); } // Default status. wp_die( '0' );
—- the end – wp – admin -ajax —
thank you guys
You pasted WordPress core code.
If that’s flagged and they think this unsafe they might as well report it to WordPress security portal since roughly 50 million websites would be vulnerable if said code would be “unsafe”I’m pretty sure you can ignore this as a false alarm.
If they think this is a real issue then it’d be a core issue and would need to be reported as described here https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/
I think there’s even a bounty for such things, see https://hackerone.com/wordpress?type=team
- This reply was modified 3 years, 2 months ago by Anonymous User 14808221.
This is the code
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: *
Cookie: privacy_embeds=consent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 21867
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: *
Connection: Keep-aliveaction=mec_monthly_view_load_month&apply_sf_date=0&atts[_edit_last]=1&atts[_edit_lock]=16 26242756:1&atts[author]=&atts[category]=&atts[html-class]=mecwidget% 20&atts[id]=587&atts[label]=&atts[location]=&atts[organizer]=&atts[rs_page_bg_colo r]=&atts[sf-options][agenda][address_search][placeholder]=&atts[sf-options][agenda] [address_search][type]=0&atts[sf-options][agenda][category][type]=0&atts[sf-options] [agenda][event_cost][type]=0&atts[sf-options][agenda][label][type]=0&atts[sf-options] [agenda][location][type]=0&atts[sf-options][agenda][month_filter][type]=0&atts[sfoptions][ agenda][organizer][type]=0&atts[sf-options][agenda][speaker][type]=0&atts[sfoptions][ agenda][tag][type]=0&atts[sf-options][agenda][text_search] [placeholder]=&atts[sf-options][agenda][text_search][type]=0&atts[sf-options][agenda] [time_filter][type]=0&atts[sf-options][daily_view][address_search][placeholder]=&atts[sfoptions][ daily_view][address_search][type]=0&atts[sf-options][daily_view][category] [type]=0&atts[sf-options][daily_view][event_cost][type]=0&atts[sf-options][daily_view] [label][type]=0&atts[sf-options][daily_view][location][type]=0&atts[sf-options] [daily_view][month_filter][type]=0&atts[sf-options][daily_view][organizer] [type]=0&atts[sf-options][daily_view][speaker][type]=0&atts[sf-options][daily_view][tag] [type]=0&atts[sf-options][daily_view][text_search][placeholder]=&atts[sf-options] [daily_view][text_search][type]=0&atts[sf-options][daily_view][time_filter] 4 [type]=0&atts[sf-options][full_calendar][address_search][placeholder]=&atts[sf-options] [full_calendar][address_search][type]=0&atts[sf-options][full_calendar][category] [type]=0&atts[sf-options][full_calendar][event_cost][type]=0&atts[sf-options] [full_calendar][label][type]=0&atts[sf-options][full_calendar][location][type]=0&atts[sfoptions][ full_calendar][month_filter][type]=0&atts[sf-options][full_calendar][organizer] [type]=0&atts[sf-options][full_calendar][speaker][type]=0&atts[sf-options][full_calendar] [tag][type]=0&atts[sf-options][full_calendar][text_search][placeholder]=&atts[sf-options] [full_calendar][text_search][type]=0&atts[sf-options][full_calendar][time_filter] [type]=0&atts[sf-options][grid][address_search][placeholder]=&atts[sf-options][grid] [address_search][type]=0&atts[sf-options][grid][category][type]=0&atts[sf-options][grid] [event_cost][type]=0&atts[sf-options][grid][label][type]=0&atts[sf-options][grid] [location][type]=0&atts[sf-options][grid][month_filter][type]=0&atts[sf-options][grid] [organizer][type]=0&atts[sf-options][grid][speaker][type]=0&atts[sf-options][grid][tag] [type]=0&atts[sf-options][grid][text_search][placeholder]=&atts[sf-options][grid] [text_search][type]=0&atts[sf-options][grid][time_filter][type]=0&atts[sf-options][list] [address_search][placeholder]=&atts[sf-options][list][address_search][type]=0&atts[sfoptions][ list][category][type]=0&atts[sf-options][list][event_cost][type]=0&atts[sfoptions][ list][label][type]=0&atts[sf-options][list][location][type]=0&atts[sf-options] [list][month_filter][type]=0&atts[sf-options][list][organizer][type]=0&atts[sf-options] [list][speaker][type]=0&atts[sf-options][list][tag][type]=0&atts[sf-options][list] [text_search][placeholder]=&atts[sf-options][list][text_search][type]=0&atts[sf-options] [list][time_filter][type]=0&atts[sf-options][map][address_search][placeholder]=&atts[sfoptions][ map][address_search][type]=0&atts[sf-options][map][category][type]=0&atts[sfoptions][ map][event_cost][type]=0&atts[sf-options][map][label][type]=0&atts[sf-options] [map][location][type]=0&atts[sf-options][map][month_filter][type]=0&atts[sf-options][map] [organizer][type]=0&atts[sf-options][map][speaker][type]=0&atts[sf-options][map][tag] [type]=0&atts[sf-options][map][text_search][placeholder]=&atts[sf-options][map] [text_search][type]=0&atts[sf-options][monthly_view][address_search] [placeholder]=&atts[sf-options][monthly_view][address_search][type]=0&atts[sf-options] [monthly_view][category][type]=dropdown&atts[sf-options][monthly_view][event_cost] [type]=0&atts[sf-options][monthly_view][label][type]=0&atts[sf-options][monthly_view] [location][type]=0&atts[sf-options][monthly_view][month_filter][type]=0&atts[sf-options] [monthly_view][organizer][type]=0&atts[sf-options][monthly_view][speaker] [type]=0&atts[sf-options][monthly_view][tag][type]=0&atts[sf-options][monthly_view] [text_search][placeholder]=&atts[sf-options][monthly_view][text_search] [type]=text_input&atts[sf-options][monthly_view][time_filter][type]=0&atts[sf-options] [tile][address_search][placeholder]=&atts[sf-options][tile][address_search] [type]=0&atts[sf-options][tile][category][type]=0&atts[sf-options][tile][event_cost] [type]=0&atts[sf-options][tile][label][type]=0&atts[sf-options][tile][location] [type]=0&atts[sf-options][tile][month_filter][type]=0&atts[sf-options][tile][organizer] [type]=0&atts[sf-options][tile][speaker][type]=0&atts[sf-options][tile][tag] [type]=0&atts[sf-options][tile][text_search][placeholder]=&atts[sf-options][tile] [text_search][type]=0&atts[sf-options][tile][time_filter][type]=0&atts[sf-options] [timetable][address_search][placeholder]=&atts[sf-options][timetable][address_search] [type]=0&atts[sf-options][timetable][category][type]=0&atts[sf-options][timetable] [event_cost][type]=0&atts[sf-options][timetable][label][type]=0&atts[sf-options] [timetable][location][type]=0&atts[sf-options][timetable][month_filter][type]=0&atts[sfoptions][ timetable][organizer][type]=0&atts[sf-options][timetable][speaker] [type]=0&atts[sf-options][timetable][tag][type]=0&atts[sf-options][timetable] [text_search][placeholder]=&atts[sf-options][timetable][text_search][type]=0&atts[sfoptions][ timetable][time_filter][type]=0&atts[sf-options][weekly_view][address_search] [placeholder]=&atts[sf-options][weekly_view][address_search][type]=0&atts[sf-options] [weekly_view][category][type]=0&atts[sf-options][weekly_view][event_cost] [type]=0&atts[sf-options][weekly_view][label][type]=0&atts[sf-options][weekly_view] [location][type]=0&atts[sf-options][weekly_view][month_filter][type]=0&atts[sf-options] [weekly_view][organizer][type]=0&atts[sf-options][weekly_view][speaker][type]=0&atts[sfoptions][ weekly_view][tag][type]=0&atts[sf-options][weekly_view][text_search] [placeholder]=&atts[sf-options][weekly_view][text_search][type]=0&atts[sf-options] [weekly_view][time_filter][type]=0&atts[sf-options][yearly_view][address_search] [placeholder]=&atts[sf-options][yearly_view][address_search][type]=0&atts[sf-options] [yearly_view][category][type]=0&atts[sf-options][yearly_view][event_cost] 5 [type]=0&atts[sf-options][yearly_view][label][type]=0&atts[sf-options][yearly_view] [location][type]=0&atts[sf-options][yearly_view][month_filter][type]=0&atts[sf-options] [yearly_view][organizer][type]=0&atts[sf-options][yearly_view][speaker][type]=0&atts[sfoptions][ yearly_view][tag][type]=0&atts[sf-options][yearly_view][text_search] [placeholder]=&atts[sf-options][yearly_view][text_search][type]=0&atts[sf-options] [yearly_view][time_filter] [type]=0&atts[sf_display_label]=0&atts[sf_status]=0&atts[show_ongoing_events]=0&atts[show _only_one_occurrence]=0&atts[show_only_ongoing_events]=0&atts[show_only_past_events]=0&at ts[show_past_events]=1&atts[sk-options][agenda][clean_date_format1]=l&atts[sk-options] [agenda][clean_date_format2]=F%20j&atts[sk-options][agenda][custom_data]=0&atts[skoptions][ agenda][display_label]=0&atts[sk-options][agenda][end_date_type]=date&atts[skoptions][ agenda][image_popup]=0&atts[sk-options][agenda][include_local_time]=0&atts[skoptions][ agenda][limit]=&atts[sk-options][agenda][load_more_button]=1&atts[sk-options] [agenda][maximum_date_range]=&atts[sk-options][agenda][month_divider]=0&atts[sk-options] [agenda][reason_for_cancellation]=0&atts[sk-options][agenda][sed_method]=0&atts[skoptions][ agenda][start_date]=&atts[sk-options][agenda][start_date_type]=today&atts[skoptions][ agenda][style]=clean&atts[sk-options][available_spot][date_format1]=j&atts[skoptions][ available_spot][date_format2]=F&atts[sk-options][available_spot] [display_label]=0&atts[sk-options][available_spot][event_id]=-1&atts[sk-options] [available_spot][include_local_time]=0&atts[sk-options][available_spot] [reason_for_cancellation]=0&atts[sk-options][carousel][archive_link]=&atts[sk-options] [carousel][autoplay]=&atts[sk-options][carousel][autoplay_status]=1&atts[sk-options] [carousel][count]=2&atts[sk-options][carousel][custom_data]=0&atts[sk-options][carousel] [display_label]=0&atts[sk-options][carousel][head_text]=&atts[sk-options][carousel] [image_popup]=0&atts[sk-options][carousel][include_events_times]=0&atts[sk-options] [carousel][include_local_time]=0&atts[sk-options][carousel][limit]=&atts[sk-options] [carousel][loop_status]=1&atts[sk-options][carousel][reason_for_cancellation]=0&atts[skoptions][ carousel][sed_method]=0&atts[sk-options][carousel][start_date]=&atts[sk-options] [carousel][start_date_type]=today&atts[sk-options][carousel][style]=type1&atts[skoptions][ carousel][type1_date_format1]=d&atts[sk-options][carousel] [type1_date_format2]=F&atts[sk-options][carousel][type1_date_format3]=Y&atts[sk-options] [carousel][type2_date_format1]=M%20d%2C%20Y&atts[sk-options][carousel] [type3_date_format1]=M%20d%2C%20Y&atts[sk-options][countdown] [bg_color]=%23437df9&atts[sk-options][countdown][date_format_style11]=j%20F%20Y&atts[skoptions][ countdown][date_format_style21]=j%20F%20Y&atts[sk-options][countdown] [date_format_style31]=j&atts[sk-options][countdown][date_format_style32]=F&atts[skoptions][ countdown][date_format_style33]=Y&atts[sk-options][countdown] [display_label]=0&atts[sk-options][countdown][event_id]=-1&atts[sk-options][countdown] [include_local_time]=0&atts[sk-options][countdown][reason_for_cancellation]=0&atts[skoptions][ countdown][style]=style1&atts[sk-options][cover] [date_format_classic1]=F%20d&atts[sk-options][cover][date_format_classic2]=l&atts[skoptions][ cover][date_format_clean1]=d&atts[sk-options][cover] [date_format_clean2]=M&atts[sk-options][cover][date_format_clean3]=Y&atts[sk-options] [cover][date_format_modern1]=l%2C%20F%20d%20Y&atts[sk-options][cover] [display_label]=0&atts[sk-options][cover][event_id]=4475&atts[sk-options][cover] [include_local_time]=0&atts[sk-options][cover][reason_for_cancellation]=0&atts[skoptions][ cover][style]=classic&atts[sk-options][daily_view][custom_data]=0&atts[skoptions][ daily_view][display_categories]=0&atts[sk-options][daily_view] [display_label]=0&atts[sk-options][daily_view][display_organizer]=0&atts[sk-options] [daily_view][image_popup]=0&atts[sk-options][daily_view][include_local_time]=0&atts[skoptions][ daily_view][limit]=&atts[sk-options][daily_view] [next_previous_button]=1&atts[sk-options][daily_view][reason_for_cancellation]=0&atts[skoptions][ daily_view][sed_method]=0&atts[sk-options][daily_view][start_date]=&atts[skoptions][ daily_view][start_date_type]=today&atts[sk-options][full_calendar] [activate_current_day]=1&atts[sk-options][full_calendar][activate_first_date]=0&atts[skoptions][ full_calendar][custom_data]=0&atts[sk-options][full_calendar][daily]=1&atts[skoptions][ full_calendar][date_format_list]=d%20M&atts[sk-options][full_calendar] [date_format_yearly_1]=l&atts[sk-options][full_calendar] [date_format_yearly_2]=F%20j&atts[sk-options][full_calendar][default_view]=list&atts[skoptions][ full_calendar][display_label]=0&atts[sk-options][full_calendar] [display_price]=0&atts[sk-options][full_calendar][end_date_type_grid]=date&atts[sk6 options][full_calendar][end_date_type_list]=date&atts[sk-options][full_calendar] [grid]=0&atts[sk-options][full_calendar][image_popup]=0&atts[sk-options][full_calendar] [include_local_time]=0&atts[sk-options][full_calendar][limit]=&atts[sk-options] [full_calendar][list]=1&atts[sk-options][full_calendar] [maximum_date_range_grid]=&atts[sk-options][full_calendar] [maximum_date_range_list]=&atts[sk-options][full_calendar][monthly]=1&atts[sk-options] [full_calendar][monthly_style]=clean&atts[sk-options][full_calendar] [reason_for_cancellation]=0&atts[sk-options][full_calendar][sed_method]=0&atts[skoptions][ full_calendar][start_date]=&atts[sk-options][full_calendar] [start_date_type]=today&atts[sk-options][full_calendar][tile]=0&atts[sk-options] [full_calendar][weekly]=1&atts[sk-options][full_calendar][yearly]=0&atts[sk-options] [grid][classic_date_format1]=d%20F%20Y&atts[sk-options][grid] [clean_date_format1]=d&atts[sk-options][grid][clean_date_format2]=F&atts[sk-options] [grid][colorful_date_format1]=d&atts[sk-options][grid][colorful_date_format2]=F&atts[skoptions][ grid][colorful_date_format3]=l&atts[sk-options][grid][count]=1&atts[sk-options] [grid][custom_data]=0&atts[sk-options][grid][display_categories]=0&atts[sk-options][grid] [display_label]=0&atts[sk-options][grid][display_organizer]=0&atts[sk-options][grid] [end_date_type]=date&atts[sk-options][grid][image_popup]=0&atts[sk-options][grid] [include_events_times]=0&atts[sk-options][grid][include_local_time]=0&atts[sk-options] [grid][limit]=&atts[sk-options][grid][load_more_button]=1&atts[sk-options][grid] [maximum_date_range]=&atts[sk-options][grid][minimal_date_format1]=d&atts[sk-options] [grid][minimal_date_format2]=M&atts[sk-options][grid][modern_date_format1]=d&atts[skoptions][ grid][modern_date_format2]=F&atts[sk-options][grid] [modern_date_format3]=l&atts[sk-options][grid][novel_date_format1]=d%20F%20Y&atts[skoptions][ grid][reason_for_cancellation]=0&atts[sk-options][grid][sed_method]=0&atts[skoptions][ grid][set_geolocation]=0&atts[sk-options][grid] [set_geolocation_focus]=0&atts[sk-options][grid][simple_date_format1]=M%20d%20Y&atts[skoptions][ grid][start_date]=&atts[sk-options][grid][start_date_type]=today&atts[skoptions][ grid][style]=classic&atts[sk-options][list][accordion_date_format1]=d&atts[skoptions][ list][accordion_date_format2]=F&atts[sk-options][list] [classic_date_format1]=M%20d%20Y&atts[sk-options][list][custom_data]=0&atts[sk-options] [list][display_categories]=0&atts[sk-options][list][display_label]=0&atts[sk-options] [list][display_organizer]=0&atts[sk-options][list][end_date_type]=date&atts[sk-options] [list][image_popup]=0&atts[sk-options][list][include_events_times]=0&atts[sk-options] [list][include_local_time]=0&atts[sk-options][list][limit]=&atts[sk-options][list] [load_more_button]=1&atts[sk-options][list][maximum_date_range]=&atts[sk-options][list] [minimal_date_format1]=d&atts[sk-options][list][minimal_date_format2]=M&atts[sk-options] [list][minimal_date_format3]=l&atts[sk-options][list][modern_date_format1]=d&atts[skoptions][ list][modern_date_format2]=F&atts[sk-options][list] [modern_date_format3]=l&atts[sk-options][list][month_divider]=1&atts[sk-options][list] [reason_for_cancellation]=0&atts[sk-options][list][sed_method]=0&atts[sk-options][list] [set_geolocation]=0&atts[sk-options][list][set_geolocation_focus]=0&atts[sk-options] [list][standard_date_format1]=d%20M&atts[sk-options][list][start_date]=&atts[sk-options] [list][start_date_type]=today&atts[sk-options][list][style]=classic&atts[sk-options] [list][toggle_month_divider]=0&atts[sk-options][map][geolocation]=0&atts[sk-options][map] [geolocation_focus]=0&atts[sk-options][map][limit]=200&atts[sk-options][map] [start_date]=&atts[sk-options][map][start_date_type]=today&atts[sk-options][masonry] [custom_data]=0&atts[sk-options][masonry][date_format1]=j&atts[sk-options][masonry] [date_format2]=F&atts[sk-options][masonry][display_categories]=0&atts[sk-options] [masonry][display_label]=0&atts[sk-options][masonry][display_organizer]=0&atts[skoptions][ masonry][end_date_type]=date&atts[sk-options][masonry][filter_by]=&atts[skoptions][ masonry][fit_to_row]=0&atts[sk-options][masonry][image_popup]=0&atts[sk-options] [masonry][include_local_time]=0&atts[sk-options][masonry][limit]=&atts[sk-options] [masonry][load_more_button]=0&atts[sk-options][masonry][masonry_like_grid]=0&atts[skoptions][ masonry][maximum_date_range]=&atts[sk-options][masonry] [reason_for_cancellation]=0&atts[sk-options][masonry][sed_method]=0&atts[sk-options] [masonry][start_date]=&atts[sk-options][masonry][start_date_type]=today&atts[sk-options] [monthly_view][activate_current_day]=1&atts[sk-options][monthly_view] [activate_first_date]=0&atts[sk-options][monthly_view][custom_data]=0&atts[sk-options] [monthly_view][display_all]=0&atts[sk-options][monthly_view][display_label]=0&atts[skoptions][ monthly_view][image_popup]=0&atts[sk-options][monthly_view] 7 [include_local_time]=0&atts[sk-options][monthly_view][limit]=&atts[sk-options] [monthly_view][next_previous_button]=1&atts[sk-options][monthly_view] [reason_for_cancellation]=0&atts[sk-options][monthly_view] [sed_method]=09878();}]9365&atts[sk-options][monthly_view][start_date]=&atts[sk-options] [monthly_view][start_date_type]=start_current_month&atts[sk-options][monthly_view] [style]=classic&atts[sk-options][slider][autoplay]=&atts[sk-options][slider] [custom_data]=0&atts[sk-options][slider][display_label]=0&atts[sk-options][slider] [include_local_time]=0&atts[sk-options][slider][limit]=&atts[sk-options][slider] [reason_for_cancellation]=0&atts[sk-options][slider][start_date]=&atts[sk-options] [slider][start_date_type]=today&atts[sk-options][slider][style]=t1&atts[sk-options] [slider][transition_time]=250&atts[sk-options][slider][type1_date_format1]=d&atts[skoptions][ slider][type1_date_format2]=F&atts[sk-options][slider] [type1_date_format3]=l&atts[sk-options][slider][type2_date_format1]=d&atts[sk-options] [slider][type2_date_format2]=F&atts[sk-options][slider][type2_date_format3]=l&atts[skoptions][ slider][type3_date_format1]=d&atts[sk-options][slider] [type3_date_format2]=F&atts[sk-options][slider][type3_date_format3]=l&atts[sk-options] [slider][type4_date_format1]=d&atts[sk-options][slider][type4_date_format2]=F&atts[skoptions][ slider][type4_date_format3]=l&atts[sk-options][slider] [type5_date_format1]=d&atts[sk-options][slider][type5_date_format2]=F&atts[sk-options] [slider][type5_date_format3]=l&atts[sk-options][tile][clean_date_format1]=j&atts[skoptions][ tile][clean_date_format2]=M&atts[sk-options][tile][count]=4&atts[sk-options] [tile][custom_data]=0&atts[sk-options][tile][display_categories]=0&atts[sk-options][tile] [display_label]=0&atts[sk-options][tile][display_organizer]=0&atts[sk-options][tile] [image_popup]=0&atts[sk-options][tile][limit]=&atts[sk-options][tile] [load_more_button]=1&atts[sk-options][tile][next_previous_button]=1&atts[sk-options] [tile][reason_for_cancellation]=0&atts[sk-options][tile][sed_method]=0&atts[sk-options] [tile][start_date]=&atts[sk-options][tile][start_date_type]=start_current_month&atts[skoptions][ timeline][classic_date_format1]=d%20F%20Y&atts[sk-options][timeline] [custom_data]=0&atts[sk-options][timeline][display_categories]=0&atts[sk-options] [timeline][display_label]=0&atts[sk-options][timeline][display_organizer]=0&atts[skoptions][ timeline][end_date_type]=date&atts[sk-options][timeline][image_popup]=0&atts[skoptions][ timeline][include_local_time]=0&atts[sk-options][timeline][limit]=&atts[skoptions][ timeline][load_more_button]=1&atts[sk-options][timeline] [maximum_date_range]=&atts[sk-options][timeline][month_divider]=0&atts[sk-options] [timeline][reason_for_cancellation]=0&atts[sk-options][timeline][sed_method]=0&atts[skoptions][ timeline][start_date]=&atts[sk-options][timeline] [start_date_type]=today&atts[sk-options][timetable][custom_data]=0&atts[sk-options] [timetable][display_label]=0&atts[sk-options][timetable][end_time]=13&atts[sk-options] [timetable][image_popup]=0&atts[sk-options][timetable][include_local_time]=0&atts[skoptions][ timetable][limit]=&atts[sk-options][timetable][next_previous_button]=1&atts[skoptions][ timetable][number_of_days]=5&atts[sk-options][timetable] [number_of_days_modern]=7&atts[sk-options][timetable][reason_for_cancellation]=0&atts[skoptions][ timetable][sed_method]=0&atts[sk-options][timetable][start_date]=&atts[skoptions][ timetable][start_date_type]=start_current_week&atts[sk-options][timetable] [start_time]=1&atts[sk-options][timetable][style]=modern&atts[sk-options][timetable] [week_start]=-1&atts[sk-options][weekly_view][custom_data]=0&atts[sk-options] [weekly_view][display_categories]=0&atts[sk-options][weekly_view] [display_label]=0&atts[sk-options][weekly_view][display_organizer]=0&atts[sk-options] [weekly_view][image_popup]=0&atts[sk-options][weekly_view][include_local_time]=0&atts[skoptions][ weekly_view][limit]=&atts[sk-options][weekly_view] [next_previous_button]=1&atts[sk-options][weekly_view] [reason_for_cancellation]=0&atts[sk-options][weekly_view][sed_method]=0&atts[sk-options] [weekly_view][start_date]=&atts[sk-options][weekly_view] [start_date_type]=start_current_week&atts[sk-options][yearly_view] [custom_data]=0&atts[sk-options][yearly_view][display_label]=0&atts[sk-options] [yearly_view][image_popup]=0&atts[sk-options][yearly_view][include_local_time]=0&atts[skoptions][ yearly_view][limit]=&atts[sk-options][yearly_view] [modern_date_format1]=l&atts[sk-options][yearly_view][modern_date_format2]=F%20j&atts[skoptions][ yearly_view][months][1]=1&atts[sk-options][yearly_view][months][10]=1&atts[skoptions][ yearly_view][months][11]=1&atts[sk-options][yearly_view][months][12]=1&atts[skoptions][ yearly_view][months][2]=1&atts[sk-options][yearly_view][months][3]=1&atts[sk8 options][yearly_view][months][4]=1&atts[sk-options][yearly_view][months][5]=1&atts[skoptions][ yearly_view][months][6]=1&atts[sk-options][yearly_view][months][7]=1&atts[skoptions][ yearly_view][months][8]=1&atts[sk-options][yearly_view][months][9]=1&atts[skoptions][ yearly_view][next_previous_button]=1&atts[sk-options][yearly_view] [reason_for_cancellation]=0&atts[sk-options][yearly_view][sed_method]=0&atts[sk-options] [yearly_view][start_date]=&atts[sk-options][yearly_view] [start_date_type]=start_current_year&atts[sk-options][yearly_view] [style]=modern&atts[skin]=monthly_view&atts[style]=classic&atts[tag]=&atts[widget]=1&atts [widget_autoplay]=1&atts[widget_autoplay_time]=3000&atts[widget_loop]=1&mec_month=07&mec_ year=2021&navigator_click=true
Interestingly enough that action parameter is part of this. https://git.bksp.space/BlackSponge/event-scraper/src/branch/master/src/main.rs
But it certainly has nothing to do with WordPress, and is unrelated to the report you sent prior.
That prior report, if anything, needs to be reported at the place I mentioned earlier.
The last “code” you share (that is not really code, it is just the query parameters) is not part of WordPress at all, and likely either part from custom code, plugin or theme.Thus in that case you’ve to reach out to the specific plugin or theme that produces that query.
- The topic ‘Cross site scripting (XSS) adminajax.php’ is closed to new replies.