Support » Plugin: Dashboard Post-it » [Plugin: Dashboard Post-it] HTML injection

  • Resolved theresa95

    (@theresa95)


    filtering fone in function dashboard_postit_Setup never uses $newoptions variable allowing HTML injection by unatuhorized users

Viewing 2 replies - 1 through 2 (of 2 total)
  • for reference here is the funtion body in question.

    if ( ‘post’ == strtolower($_SERVER[‘REQUEST_METHOD’]) && isset( $_POST[‘widget_id’] ) && ‘dashboard_postit’ == $_POST[‘widget_id’] ) {
    foreach ( array( ‘pi_title’, ‘pi_text’ ) as $key )
    $options[$key] = stripslashes($_POST[$key]);
    if ( !current_user_can(‘unfiltered_html’) )
    $newoptions[‘text’] = stripslashes(wp_filter_post_kses($newoptions[‘text’])); // This should take care of HTML permissions.
    update_option( ‘dashboard_postit’, $options );
    }

    Plugin Author Mark

    (@codeispoetry)

    Thank you. Since there is no way to edit the dashboard widget unless you can edit_options, I consider this low priority — with edit_options capabilities you can do much more dangerous stuff than an HTML injection in an obscure Dashboard plugin.

    If anyone’s willing to take over the development on this one though I would consider it. I simply lack the time to write any code these days.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: Dashboard Post-it] HTML injection’ is closed to new replies.