Shareaholic 7.6.0.3 XSS

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

File: shareaholic\shareaholic.php ``` add_action('wp_ajax_shareaholic_add_location', array('ShareaholicAdmin', 'add_location')); $_POST['location'] is not escaped. ``` File: shareaholic\admin.php ``` public static function add_location() { $location = $_POST['location']; $app_name = $location['app_name']; ShareaholicUtilities::update_options(array( 'location_name_ids' => array( $app_name => array( $location['name'] => $location['id'] ), ), $app_name => array( $location['name'] => 'on' ) )); echo json_encode(array( 'status' => "successfully created a new {$location['app_name']} location", 'id' => $location['id'] )); die(); } ``` We save $_POST['location'] as shareaholic_settings. File: shareaholic\utilities.php ```` public static function update_options($array) { $old_settings = self::get_settings(); $new_settings = self::array_merge_recursive_distinct($old_settings, $array); update_option('shareaholic_settings', $new_settings); } ``` Then it’s displayed as $location_id on admin...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息