Skip to content

2.4.1
Compare
Choose a tag to compare
@GaryJones GaryJones released this 23 Apr 07:28
· 539 commits to develop since this release
2.4.1
c047bcc

Security release to improve escaping for URLs and attributes.

https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/ explains how plugins were susceptible to potential XSS attacks. The announcement regards add_query_arg() and remove_query_arg() when the optional second argument is not given, resulting in a default of $_SERVER['REQUEST_URI'].

TGMPA used the second argument for most instances, most often with an admin URL. While the admin URL functions are filterable, taking advantage of the lack of escaping means being able to apply a filter (by editing a theme or plugin) to form a malicious URL, and not just sending a crafted GET request.

We did have at least one instance where the second arg was not provided, and the resulting URL was not being escaped. This has been fixed in 2.4.1.

Assets 2
Loading