WordPress.org

Support

Support » Plugins and Hacks » Tabify Edit Screen » [Resolved] [Plugin: Tabify edit screen] Security issue

[Resolved] [Plugin: Tabify edit screen] Security issue

  • Hello

    A nonce token is missing in the settings, check “wp_nonce_field()” and “check_admin_referer()” in WP codex. This leads on a CSRF attack
    Also, a XSS attack is possible because the title is not sanitized with “esc_attr()” and “esc_html()”.

    BUT, if i close my eyes on this, this is a great idea ! nice work 🙂
    Waiting for the next patch to use it 😉

    See you !

    http://wordpress.org/extend/plugins/tabify-edit-screen/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Marko Heijnen

    @markoheijnen

    Will fix that in the next release. Hopefully the end of this week.

    Plugin Author Marko Heijnen

    @markoheijnen

    I just released the new version. Please let me know what you think about the made improvements.

    Hello, sorry for the delay, this is good Marko 🙂
    Did i win a “thanks to Julio from BoiteAWeb.fr” in the changelog near the “security” line ? 😉
    Thanks in advance

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Resolved] [Plugin: Tabify edit screen] Security issue’ is closed to new replies.
Skip to toolbar