Popular Brand SVG Icons - Simple Icons < 2.7.8 - Contributor+ Stored XSS

The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

WordPress 插件 跨站脚本漏洞

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 WordPress 插件 Simple Icons 2.7.8 之前的版本存在安全漏洞，该漏洞源于该插件不会清理或验证其一些短代码参数，例如“颜色”、“大小”或“类别”。

N/A

N/A