i’ve updated it but still having the same issue. The ‘manage items’ section echoes the title or the caption of the submitted data without cleaning it. e.g: the image pair form has a title called ‘caption’. if a user sets the caption to "><script>alert('hello')</script> and then hits submit, the server will store it without cleaning it. Thus, when the admin asks for information, such as text inputs, images, it’ll popup an alert box. htmlspecialchars() before updating or inserting into db would do the job.
Also, i found a CSRF vuln. An anonymous user is able to update any data stored in the server for another user, simply by changing the value of the hidden field that its above the delete button. The value must match an existing item_id. hope i’ve been as clear as possible. feel free to contact me, i’ll help you.
