A nonce token is missing in the settings, check “wp_nonce_field()” and “check_admin_referer()” in WP codex. This leads on a CSRF attack
Also, a XSS attack is possible because the title is not sanitized with “esc_attr()” and “esc_html()”.
BUT, if i close my eyes on this, this is a great idea ! nice work 🙂
Waiting for the next patch to use it 😉
See you !
- The topic ‘[Plugin: Tabify edit screen] Security issue’ is closed to new replies.