WordPress.org

Ready to get started?Download WordPress

Forums

Tabify Edit Screen
[resolved] [Plugin: Tabify edit screen] Security issue (4 posts)

  1. Julio Potier
    Member
    Posted 2 years ago #

    Hello

    A nonce token is missing in the settings, check "wp_nonce_field()" and "check_admin_referer()" in WP codex. This leads on a CSRF attack
    Also, a XSS attack is possible because the title is not sanitized with "esc_attr()" and "esc_html()".

    BUT, if i close my eyes on this, this is a great idea ! nice work :)
    Waiting for the next patch to use it ;)

    See you !

    http://wordpress.org/extend/plugins/tabify-edit-screen/

  2. Marko Heijnen
    Member
    Plugin Author

    Posted 2 years ago #

    Will fix that in the next release. Hopefully the end of this week.

  3. Marko Heijnen
    Member
    Plugin Author

    Posted 2 years ago #

    I just released the new version. Please let me know what you think about the made improvements.

  4. Julio Potier
    Member
    Posted 2 years ago #

    Hello, sorry for the delay, this is good Marko :)
    Did i win a "thanks to Julio from BoiteAWeb.fr" in the changelog near the "security" line ? ;)
    Thanks in advance

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic