[Plugin: WordPress Link Directory] User Beware of the WordPress Link Directory Plug in

  • I really hate to mention anything native about any plug in script, but I feel it’ my duty to WordPress community when it comes to security.

    This WordPress Link Directory is a great concept, in fact, I never had any issue like other people with the script besides having to adjust the Mysql database. I even run the latest version WordPress 2.7 and now 2.8.

    However, since I have a Mcafee secure site, I can never get the WordPress Link Directory to pass. Please Keep in mind I run several plug in that passed the test.

    I think the developer should have taken the extra step with this script instead of just thinking about getting rank of the search engine because of links being directed to your website. However, that another story.

    The WordPress Link Directory needs some work on the security issues since it is cross-site scripting.

    This is something that the developer can do to fix this issue..

    ******************************
    The WordPress Link Directory remote web application appears to be vulnerable to cross-site scripting (XSS).

    The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without sanitizing user input.

    The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.

    The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

    The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.

    When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.

    Ensure that parameters and user input are sanitized by doing the following:
    # Remove < input and replace with <
    # Remove > input and replace with >
    # Remove ‘ input and replace with '
    # Remove ” input and replace with "
    # Remove ) input and replace with )
    # Remove ( input and replace with (

    *******************************************

    So for the user today just keep in mind beware what can happen to your users.

    That’s all it in a nut shell hopefully the developer care enough to take the extra steps. It’s a great script..

    For the people that is looking for a clean directory plug in I suggest the ” Open Links Directory ” It’s clean and it pass the McAfee Secure test.

    https://www.ads-software.com/extend/plugins/wordpress-link-directory/

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hey Zeek, thanks for your feedback.

    As far as I was aware I had removed all XSS vulnrabilities from WPLD via a combination of PHP functions htmlspecialchars and strip_tags. If you’re aware of any pages where XSS is still possible please let me know and I can secure them.

    While XSS is a minor issue which is more aimed towards phishing and only really applicable on larger websites, it’s easy to fix and I’m happy to do it.

    Cheers

    Sean’s site is listed as Google as unsafe. I think that there may be some work to do in fixing the security holes.

    This is quite a shame. I rather liked the idea, but its current behavior terrifies me. Any other options?

    I’m also terrified of using it. When I tried to visit the plugin page, my PC alerted it as an attack site and suggested not even entering it. I’m listening to it. Great idea, not worth the potential hazards.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Plugin: WordPress Link Directory] User Beware of the WordPress Link Directory Plug in’ is closed to new replies.