Possible XSS exploit

[IvanRF]

I'm not an expert on this, but I saw you added esc_attr() on POST and GET. Shouldn't you use that also in /options/index.pnp lines 68-71?

[Reedyseth]

I'm not an expert on this, but I saw you added esc_attr() on POST and GET. Shouldn't you use that also in /options/index.pnp lines 68-71?

You are right. Any information coming from any source should be escape, but annotated.

[IvanRF]

Here are some more possible exploits: /options/panel1-business-logic.php lines 94-98

[IvanRF]

Also in

• /options/panel1-edit-subscription.php lines 14 and 17
• /options/panel1.php line 7
• templates/author.php
• templates/one-click-unsubscribe.php
• templates/user.php
• wp_subscribe_reloaded.php lines 379-381 and 1044

Easiest way to find them is to search "$_GET" or "$_POST" in the whole project.