X SS – name_directory_startswith parameter | WordPress.org

Resolved Zielakpl
(@zielakpl-1)

8 years, 5 months ago

Hello, we’ve found an issue in your plugin.

The value of the name_directory_startswith request parameter is copied into the HTML document as plain text between tags.

The payload
008af<script>alert(1)</script>21de4
was submitted in the name_directory_startswith parameter. This input was echoed unmodified in the application’s response.

Some browsers block this behavior but it’s still an issue.

https://wordpress.org/plugins/name-directory/

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author jeroenpeters1986
(@jeroenpeters1986)

8 years, 5 months ago

Hi Zielakpl,

thank you for reporting this. I will update this as soon as I have some time, within a day or two.

Thanks again!

Plugin Author jeroenpeters1986
(@jeroenpeters1986)

8 years, 5 months ago

Hi Zielakpl,

I’ve just issued version 1.7.7 where this is fixed, thank you!

Thread Starter Zielakpl
(@zielakpl-1)

8 years, 5 months ago

Hey, thanks for the quick fix!

Cheers.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘X SS – name_directory_startswith parameter’ is closed to new replies.

In: Plugins
3 replies
2 participants
Last reply from: Zielakpl
Last activity: 8 years, 5 months ago
Status: resolved