[wp-trac] [WordPress Trac] #25422: Don't escape plugin author field when deleting plugin
WordPress Trac
noreply at wordpress.org
Thu Sep 26 17:34:32 UTC 2013
#25422: Don't escape plugin author field when deleting plugin
----------------------------+------------------------------
Reporter: johnbillion | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: minor | Resolution:
Keywords: has-patch |
----------------------------+------------------------------
Comment (by nacin):
See [15521] and [15662]. The former was security hardening in 3.0.2.
Possible XSS (but only if you could delete plugins, which implies you can
arbitrarily execute PHP anyway). I don't remember the exact vector and am
having trouble locating details, but it shouldn't be hard to figure out.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25422#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list