Vulnerability: Cross-Site Scripting attacks

A slight improvement to my functions.php fix, in case it’s helpful:

add_action('init', 'sanitize_post_data');

function sanitize_post_data() {
    // Go through all most and sanitize it to prevent cross-site scripting attacks.
    foreach($_POST as $key=>$val) {
        if (!(is_array($val))) {
            $_POST[$key] = htmlentities($val);
        }        
    }
}

Prevents occasional PHP errors caused by other plugins/wordpress functions.

Thanks for bringing this to my attention. In the future, it’s best to start by contacting me directly first. That will bring it to my attention quicker, and it gives us opportunity to provide an appropriate patch (if needed) and address it properly before it’s mentioned publicly.

I’ve evaluated this and have addressed it in the 3.1.5 release which is being finalized now.

Some of the fields might have been modified to enable third-party javascript.

The primary issue here is actually not “some of the fields” but rather the email field specifically.

The plugin uses WP’s functions for handling form input. This generally amounts to sanitizing input and escaping output. This process relies on a number of WP functions.

The username field is sanitized with sanitize_user(). Text inputs are sanitized with sanitize_text_field(). When the username is validated, that validate_username() also runs sanitize_user().

I’m not sure why the email was not being sanitized, but maybe that was overlooked thinking that is_email() also sanitizes the input, but it actually does not.

So the update applies sanitize_email() to the email input and esc_attr() to the value in the input field when it is displayed. (Actually, it also applies wp_unslash() to the value when displayed as well: esc_attr( wp_unslash( $value ) ), which is the same process as is handled on the wp-login.php registration.)

In going through this, there were some additional places I found that could be hardened, but the update includes some additional sanitizing and escaping of input/output, such as on the output of checkboxes and hidden fields.

This will be included in 3.1.5, and you can view the specific changes relative to this issue here:
https://github.com/butlerblog/wp-members/commit/464e1dfa0e8062c6036246511102a5f139ad998c

• This reply was modified 8 years, 2 months ago by Chad Butler. Reason: added links for functions mentioned

Thanks for your speedy reply, Chad, and for making a great plugin. It occurred to me after I posted that I should have let you know privately. Feel free to delete this message if you think it’s appropriate, though with the imminent fix perhaps that’s not necessary. All the best.

No problem!

These changes are incorporated into 3.1.5 and I’ve tested them out – things seem to check out there. There are some other changes that are not yet fully tested so that all needs to test out before release.

I expect to have 3.1.5 fully tested and scheduled for production release early next week (targeting Monday). In the meantime, the nightly builds will be available via GitHub:

https://github.com/butlerblog/wp-members/

3.1.5 is now out as full production release and corrects this (and a couple of other) issues.