WordPress.org

Forums

Google Analytics Multisite Async
XSS vulnerability in the admin (6 posts)

  1. Dan Collis-Puro
    Member
    Posted 4 years ago #

    There is an XSS vulnerability in the site (and probably network) admin page of this plugin.

    If you post:

    " /><script>alert(1);</script><div "

    into the "Google Analytics ID:" field that code'll run. If the formatting for that attack gets mangled (I'm sure it will), it's here:

    http://pastebin.com/7kpB3Bus

    I would like to use this plugin for a pretty large multisite install and would be willing to audit it. Interested?

    http://wordpress.org/extend/plugins/google-analytics-multisite-async/

  2. Dan Collis-Puro
    Member
    Posted 4 years ago #

    Here's a patch to fix it:

    http://pastebin.com/D6RcmVPY

  3. Dartur
    Member
    Plugin Author

    Posted 4 years ago #

    Nice catch. I will be updating the plugin with this as soon as I can.
    Thanks.

  4. Jason McArtor
    Member
    Posted 3 years ago #

    Where does this patch get pasted in? Does it replace some of the plugin code, or is it added to the existing code?
    Thanks.
    Jason

  5. fanta00
    Member
    Posted 3 years ago #

    Exactly, where this code should go to? And have it been already updated in the plugin recent version?

  6. Dartur
    Member
    Plugin Author

    Posted 3 years ago #

    This have not been added yet I am sorry to say. I have had a really heavy workload these last months and just have not had the time to update this. I will write here as soon as it is updated, though it will probably be a while before that happens. Work must come first.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic