Your plugin messes up other plugins.

  • Resolved NextScripts

    (@nextscripts)


    6 years, 1 month ago

    Your plugin assumes that if a URL contains parameter “code” it belongs to it. There are many other plugins that could do authorizations that return that variable in URL.

    This is NOT OK: (file callback.php)

    $code = isset( $_REQUEST['code'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['code'] ) ) : '';// WPCS: CSRF ok,Input var okay.
$url  = admin_url( "admin.php?page=mb_email_configuration&access_token=$code" );
header( "location: $url" );
exit();

    You MUST check that you initiated authorization. Please use ‘state’ parameter, it is existing specifically for that reason.

    Right now you are hijacking all authorizations and even some unrelated pages from other plugins.

Viewing 1 replies (of 1 total)
  • Plugin Author Varun Sharma

    (@contact-banker)

    Hi,

    Thanks for bringing in this issue.

    Fixed in 3.0.66 and you should update it as well on your sites.

    Thanks

Viewing 1 replies (of 1 total)
  • The topic ‘Your plugin messes up other plugins.’ is closed to new replies.