Headline
CVE-2015-10119: Security update: correct misuse of `add_query_arg()` as identified by… · wp-plugins/view-all-posts-pages@bf914f3
A vulnerability, which was classified as problematic, has been found in View All Posts Page Plugin up to 0.9.0 on WordPress. This issue affects the function action_admin_notices_activation of the file view-all-posts-pages.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.9.1 is able to address this issue. The patch is named bf914f3a59063fa4df8fd4925ae18a5d852396d7. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-233363.
@@ -1,11 +1,11 @@
<?php
/*
Plugin Name: View All Post’s Pages
Plugin URI: http://www.thinkoomph.com/plugins-modules/view-all-posts-pages/
Plugin URI: http://www.oomphinc.com/plugins-modules/view-all-posts-pages/
Description: Provides a “view all” (single page) option for posts, pages, and custom post types paged using WordPress’ <a href="http://codex.wordpress.org/Write_Post_SubPanel#Quicktags" target="_blank"><code><!–nextpage–></code> Quicktag</a> (multipage posts).
Author: Erick Hitter & Oomph, Inc.
Version: 0.9
Author URI: http://www.thinkoomph.com/
Version: 0.9.1
Author URI: http://www.oomphinc.com/
Text Domain: view_all_posts_pages
This program is free software; you can redistribute it and/or modify
Expand Down Expand Up
@@ -686,9 +686,9 @@ public function action_admin_notices_activation() {
<div id="wpf-rewrite-flush-warning" class="error fade">
<p><strong><?php _e( 'View All Post\’s Pages’, ‘view_all_posts_pages’ ); ?></strong></p>
<p><?php printf( __( 'You must refresh your site\’s permalinks before <em>View All Post\’s Pages</em> is fully activated. To do so, go to <a href="%s">Permalinks</a> and click the <strong><em>Save Changes</em></strong> button at the bottom of the screen.’, ‘view_all_posts_pages’ ), admin_url( ‘options-permalink.php’ ) ); ?></p>
<p><?php printf( __( 'You must refresh your site\’s permalinks before <em>View All Post\’s Pages</em> is fully activated. To do so, go to <a href="%s">Permalinks</a> and click the <strong><em>Save Changes</em></strong> button at the bottom of the screen.’, ‘view_all_posts_pages’ ), esc_url( admin_url( ‘options-permalink.php’ ) ) ); ?></p>
<p><?php printf( __( 'When finished, click <a href="%s">here</a> to hide this message.’, ‘view_all_posts_pages’ ), admin_url( add_query_arg( $this->notice_key, 1, ‘index.php’ ) ) ); ?></p>
<p><?php printf( __( 'When finished, click <a href="%s">here</a> to hide this message.’, ‘view_all_posts_pages’ ), esc_url( admin_url( add_query_arg( $this->notice_key, 1, ‘index.php’ ) ) ) ); ?></p>
</div>
<?php
Expand Down