[Plugin: Tabify edit screen] Security issue

  • Resolved Julio Potier

    (@juliobox)


    12 years, 7 months ago

    Hello

    A nonce token is missing in the settings, check “wp_nonce_field()” and “check_admin_referer()” in WP codex. This leads on a CSRF attack
    Also, a XSS attack is possible because the title is not sanitized with “esc_attr()” and “esc_html()”.

    BUT, if i close my eyes on this, this is a great idea ! nice work ??
    Waiting for the next patch to use it ??

    See you !

    https://www.ads-software.com/extend/plugins/tabify-edit-screen/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Marko Heijnen

    (@markoheijnen)

    Will fix that in the next release. Hopefully the end of this week.

    Plugin Author Marko Heijnen

    (@markoheijnen)

    I just released the new version. Please let me know what you think about the made improvements.

    Thread Starter Julio Potier

    (@juliobox)

    Hello, sorry for the delay, this is good Marko ??
    Did i win a “thanks to Julio from BoiteAWeb.fr” in the changelog near the “security” line ? ??
    Thanks in advance

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: Tabify edit screen] Security issue’ is closed to new replies.