Friday, July 9, 2010

XSS bug in Canvas plugin for wordpress

I recently discovered an XSS vulnerability in a blog that uses Wootheme Canvas with Yoast breadcrumbs.

in wp-content/themes/canvas/includes/theme-plugins.php, line 219, the search widget does not escape html entities, resulting in potential code injection. e.g. search for:

>"></strong><script>alert('injection');</script>

In order to fix this, the line should read as:
$output .= bold_or_not($opt['searchprefix'].' "'.htmlentities(html_entity_decode(get_search_query())).'"');