Ninja Announcements v1.1 WordPress Plugin Stored XSS Vulnerability

  • Resolved alternator

    (@alternator)


    13 years, 11 months ago

    Dear author,

    I just discover that ninja-annc-display-js.php can execute an arbitrary javascript code. Please do patch the ‘plugin_url’ variable. If you need further information please don’t hesitate to contact me.

    Thanks,
    ~ Alternat0r

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Kevin Stover

    (@kstover)

    Just updated to version 1.2. I believe this will fix the javascript vulnerability issue. Thank you very much for the heads up.

    Thread Starter alternator

    (@alternator)

    No problemo. I just looking at your v1.2 code. I recommend you to use htmlentities() function which is more flexible and secure.

    <?php
$plugin_url = $_REQUEST['plugin_url'];
$plugin_url = htmlentities($plugin_url);
?>
...

    just my 2cents
    thanks ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Ninja Announcements v1.1 WordPress Plugin Stored XSS Vulnerability’ is closed to new replies.