Title: Vulnerabilities in the plugin
Last modified: August 21, 2016

---

# Vulnerabilities in the plugin

 *  [M0thr4](https://wordpress.org/support/users/m0thr4/)
 * (@m0thr4)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/vulnerabilities-in-the-plugin/)
 * Hello Evaluate Plugin developers!
 *  Our security team from Quantika14 just found some vulnerabilities in your plugin(
   Evaluate).
 * ============Vulnerabilities
 * – Cross Site Scripting
 *  Because any variable is sanitized properly when is managed by the plugin, you
   can inject malicious JavaScript code that can leads in a session hijack (stealing
   the cookie), phising, or any other bad scenario that the attacker can imagen (
   injecting JavaSript he have full control on victim browser). To do that, the 
   attacker only need to send to the administrador a crafted web with an hidden 
   iframe and an autosubmit form. Even if the attacker can not set the nonce parameter
   in the form, he does not need it: with the Ajax preview the javascript malicious
   code is executed automatically. In order to check it, you can try to fill the
   metric name with “><script>alert(document.cookie)</script> and check the result.
 * ===========Fixes
 *  To fix this vulnerability you only need to clean the parameters provided by 
   the user, eliminating any non-alphanumeric character (except _ and -) or escaping
   it with any functions (for example changing < for < ).
 * IF you need some proof of concepts, or need more information about how to fix
   the vulnerabilities, please feel free to send us a e-mail.
 * [https://wordpress.org/plugins/evaluate/](https://wordpress.org/plugins/evaluate/)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Thread Starter [M0thr4](https://wordpress.org/support/users/m0thr4/)
 * (@m0thr4)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/vulnerabilities-in-the-plugin/#post-4805644)
 * (for example changing < for & lt )*
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [12 years, 1 month ago](https://wordpress.org/support/topic/vulnerabilities-in-the-plugin/#post-4805671)
 * If you have not done so already can you please send the details to `plugins [
   at] wordpress.org` and they can evaluate the problem as well as contact the author
   directly.
 * That’s the best way to get this looked at and resolved.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Vulnerabilities in the plugin’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/evaluate.svg)
 * [Evaluate](https://wordpress.org/plugins/evaluate/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/evaluate/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/evaluate/)
 * [Active Topics](https://wordpress.org/support/plugin/evaluate/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/evaluate/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/evaluate/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * Last activity: [12 years, 1 month ago](https://wordpress.org/support/topic/vulnerabilities-in-the-plugin/#post-4805671)
 * Status: not resolved