Authenticated Stored Cross-Site Scripting

  • Resolved Alona Gomez

    (@alonagomez)


    4 weeks, 1 day ago

    I hope you can update and fix your plugin because it is useful.

    It is now Flagged by Wordfence with a Critical vulnerabilty. The detail is on the link provided.

    Wordfence – Description

    The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Contributor jamify

    (@jamify)

    3 weeks, 4 days ago

    Hello, The plugin has been updated. If you let or add a script to a post’s head, you must enable it in settings for author and contributor .

    Thanks.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.