I was today fooling around on my site, updated this plugin (I had and old 1.x modified version on my site because the old one didn’t work as I liked on few pages when I first installed it). Later when I already thought everything was running just fine, I posted a link of one page on Facebook and got surprised the misformed preview the Facebook gave for my post (image missing and description had parts of image link). First I
Quick look into source code of the page showed the pretty serious bug. This is exactly what the Nextgen FB plugin had written to source:
<meta property="og:image" content="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" />
I use Exec-PGP plugin which allows adding PHP code into the content of the page. Nextgen FB plugin seems to copy the content as is without any check of possible code in it.
What I had written on my page in wordpress:
<div class="image"><div class="date">2012-12-29</div><div><img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" alt="" /></div></div>
In my case, I was lucky it’s quite harmless what happened to be on that one page within img tag. But I can imagine the harm done if some runs more complex scripts there, maybe even DB queries with passwords hard coded there!
Note that the Exec-PHP was operating normally when viewing the page, so wordpress itself did parse the content normally before showing it.
- The topic ‘serious security bug’ is closed to new replies.