Title: Cross-site scripting vulnerabilities
Last modified: August 20, 2016

---

# Cross-site scripting vulnerabilities

 *  Resolved [hhr_web](https://wordpress.org/support/users/hhr_web/)
 * (@hhr_web)
 * [13 years, 2 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerabilities/)
 * Our host has detected cross-site scripting vulnerabilities on the “a” and “thestate”
   parameters within your CGI files. At least from what I can tell from their log,
   it appears to be related to this plugin. Here is a part of their log:
 *     ```
       Using the GET HTTP method, Site Scanner found that :
       + The following resources may be vulnerable to injectable parameter :
       + The 'a' parameter of the /comic-strip-submitted-to-dee-cote/ CGI :
       /comic-strip-submitted-to-dee-cote/?a=%00rnrfrh
       -------- output --------
       <div class="entry-content">
       <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" />
       <input type="hidden" name="_wp_http_referer" value="/comic-strip-submitt
       ed-to-dee-cote/?a=%00rnrfrh" /><p>This content is restricted to site mem
       bers. If you are an existing user, please login. New users may registe
       r below.</p>
       <div class="wpmem_login">
       <a name="login"></a></p>
       ------------------------
       + The 'thestate' parameter of the /morgenthau-list-being-added/ CGI :
       /morgenthau-list-being-added/?thestate=%00rnrfrh
       -------- output --------
       <div class="entry-content">
       <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" />
       <input type="hidden" name="_wp_http_referer" value="/morgenthau-list-bei
       ng-added/?thestate=%00rnrfrh" /><p>This content is restricted to site me
       mbers. If you are an existing user, please login. New users may regist
       er below.</p>
       <div class="wpmem_login">
       <a name="login"></a></p>
       ```
   
 * According to the following url regarding your 2.8.1 release, the cross-site scripting
   exploit has been closed: [http://rocketgeek.com/release-announcements/wp-members-2-8-1-release/](http://rocketgeek.com/release-announcements/wp-members-2-8-1-release/)
 * Can you confirm that this is still a valid issue and if so, when we might expect
   a new release to resolve it? Thanks.
 * [http://wordpress.org/extend/plugins/wp-members/](http://wordpress.org/extend/plugins/wp-members/)

Viewing 1 replies (of 1 total)

 *  Plugin Author [Chad Butler](https://wordpress.org/support/users/cbutlerjr/)
 * (@cbutlerjr)
 * [13 years, 2 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerabilities/#post-3557971)
 * Neither of these would represent a vulnerability.
 * It is odd though that you would have thestate as a parameter in the querystring.
   I’m not 100% sure that would come from this plugin. When using the default form
   values that the plugin installs with, the value for State is passed as thestate.
   However, this is posted with the form, not passed as a querystring (the same 
   as all other registration form values). All of the registration form values are
   only accepted as $_POSTed values and not $_REQUEST/$_GET.
 * Likewise, the plugin does use an “a” parameter to pass actions, but again, when
   registering (accepting user input values), this is not passed as a querystring
   as it is shown above.

Viewing 1 replies (of 1 total)

The topic ‘Cross-site scripting vulnerabilities’ is closed to new replies.

 * ![](https://ps.w.org/wp-members/assets/icon-256x256.png?rev=1226414)
 * [WP-Members Membership Plugin](https://wordpress.org/plugins/wp-members/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-members/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-members/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-members/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-members/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-members/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [Chad Butler](https://wordpress.org/support/users/cbutlerjr/)
 * Last activity: [13 years, 2 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerabilities/#post-3557971)
 * Status: resolved