Headline
CVE-2015-10093: Prevent XSS with esc_url() in old WordPress versions and prepare for … · korobochkin/mark-user-as-spammer@e705972
A vulnerability was found in Mark User as Spammer Plugin 1.0.0/1.0.1. It has been declared as problematic. Affected by this vulnerability is the function user_row_actions of the file plugin/plugin.php. The manipulation of the argument url leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. The name of the patch is e7059727274d2767c240c55c02c163eaa4ba6c62. It is recommended to upgrade the affected component. The identifier VDB-222325 was assigned to this vulnerability.
@@ -103,8 +103,16 @@ public static function user_row_actions( $actions, $user_object ) {
‘mark_user_as_spammer_nonce’
);
$url = site_url( $url );
/*
* Always use esc_url() before output link!
* wp_nonce_url() already pass url to esc_html and script tags will be encoded but we need armor to protect URL from XSS
*/
$url = esc_url( $url );
$actions[‘spammer’] = ‘<a href="’
. site_url( $url )
. $url
. ‘" class="mark-user-as-spammer" title="’ . (
$is_spammer ?
esc_attr_x ('Unban user. He will be able to log in on site.’, 'Verb. Mark user (account) like non spammer account’, ‘mark_user_as_spammer’)