Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

WordPress plugin 跨站脚本漏洞

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是WordPress开源的一个应用插件。 WordPress plugin Meks Easy Photo Feed Widget 存在安全漏洞，该漏洞源于meks_save_business_selected_account AJAX 操作中没有功能和 CSRF 检查，任何经过身份验证的用户都可以使用，并且不会转义某些设置。因此，任何经

N/A

N/A