W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)

The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

WordPress和W3 Total Cache 跨站脚本漏洞

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。W3 Total Cache是一款网站缓存插件。 WordPress插件 W3 Total Cache 存在跨站脚本漏洞，该漏洞源于在扩展仪表板的“扩展”参数中，它以一个属性的形式输出，没有首先被转译。这可能会让攻击者可利用该漏洞在用户的web浏览器中运行恶意JavaScript，从而导致整个站点被破坏。攻击者可利用该漏洞可以说服经过认证的管理员点

N/A

N/A