XSS Vulnerability

miswit
(@miswit)

9 years ago

Is this plugin safe from the XSS vulnerability announced several days ago: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

https://wordpress.org/plugins/co-authors-plus/

Viewing 7 replies - 1 through 7 (of 7 total)

KTS915
(@kts915)

9 years ago

This plugin does have several instances of the “unescaped” functions in question, so it is currently susceptible to that vulnerability.
KTS915
(@kts915)

9 years ago
There seem to be three affected files. I’ll try to tackle them one at a time.

In co-authors-plus/co-authors-plus.php, you need to replace the following lines to eliminate the issue:

Line 426 should be changed to read: $author_filter_url = esc_url( add_query_arg( $args, admin_url( 'edit.php' ) ) );

Line 1132 should be changed to read: $views['mine'] = $view_mine = '<a' . $class . ' href="' . esc_url( add_query_arg( $mine_args, admin_url( 'edit.php' ) ) ) . '">' . __( 'Mine', 'co-authors-plus' ) . '</a>';

Lines 1150 to 1156 inclusive should be changed to:
```
var coAuthorsPlus_ajax_suggest_link = '<?php echo esc_url( add_query_arg(
					array(
						'action' => 'coauthors_ajax_suggest',
						'post_type' => get_post_type(),
					),
					wp_nonce_url( 'admin-ajax.php', 'coauthors-search' )
				) ); ?>';
```
KTS915
(@kts915)

9 years ago

In co-authors-plus/php/class-coauthors-guest-authors.php you need to make the following lines read as follows:

Line 199: $redirect_to = esc_url( add_query_arg( 'message', 'guest-author-created', $edit_link ) );

Line 264: $redirect_to = esc_url( add_query_arg( $args, admin_url( $this->parent_page ) ) );

Line 451: echo '<form method="POST" action="' . esc_url( add_query_arg( 'page', 'view-guest-authors', admin_url( $this->parent_page ) ) ) . '">';

Line 1282: $create_guest_author_link = esc_url( add_query_arg( $query_args, admin_url( $this->parent_page ) ) );

Line 1326: $link = esc_url( add_query_arg( 'author_name', $author_nicename, home_url() ) );

Line 1334: $link = esc_url( add_query_arg( 'author_name', $author_nicename, home_url() ) );

KTS915
(@kts915)

9 years ago

In co-authors-plus/php/class-coauthors-wp-list-table.php you need to make the following lines read as follows:

Line 197: $item_delete_link = esc_url( add_query_arg( $args, menu_page_url( 'view-guest-authors', false ) ) );

Line 250: return '<a href="' . esc_url( add_query_arg( 'author_name', $item->user_login, admin_url( 'edit.php' ) ) ) . '">' . $count . '</a>';
KTS915
(@kts915)

9 years ago
I need to make one correction to the above changes, because it requires a different method of escaping. Lines 1150 to 1156 inclusive of co-authors-plus/co-authors-plus.php should, therefore, be changed to:
```
var coAuthorsPlus_ajax_suggest_link = '<?php echo esc_url_raw( add_query_arg(
					array(
						'action' => 'coauthors_ajax_suggest',
						'post_type' => get_post_type(),
					),
					wp_nonce_url( 'admin-ajax.php', 'coauthors-search' )
				) ); ?>';
```
LaFaucon
(@lafaucon)

8 years, 10 months ago

Thank you!

maxfenton
(@maxfenton)

8 years, 8 months ago

Does this address that?

https://github.com/Automattic/Co-Authors-Plus/commit/a428e2c08ffb7f5d6842014b7a55409890425864

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘XSS Vulnerability’ is closed to new replies.