The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.
The Schedule Post Changes With PublishPress Future WordPress plugin versions up to 4.10.0 contain a Stored XSS vulnerability in the 'wrapper' attribute of the [futureaction] shortcode due to insufficient input sanitization. Administrator-level attackers can inject arbitrary web scripts that execute when users access affected pages.
تحتوي إضافة PublishPress Future على ثغرة XSS مخزنة في خاصية 'wrapper' للاختصار [futureaction] بسبب عدم كفاية تعقيم المدخلات. يمكن لمهاجمي مستوى المسؤول حقن معالجات الأحداث عبر المسافات في قيمة wrapper. هذا يسمح بتنفيذ نصوص ويب عشوائية عند وصول المستخدمين إلى الصفحات المصابة.
The Schedule Post Changes With PublishPress Future WordPress plugin versions up to 4.10.0 contain a Stored XSS vulnerability in the 'wrapper' attribute of the [futureaction] shortcode due to insufficient input sanitization. Administrator-level attackers can inject arbitrary web scripts that execute when users access affected pages.
Update the Schedule Post Changes With PublishPress Future plugin to version 4.10.1 or later. Implement strict input validation and use appropriate escaping functions like wp_kses_post() for HTML content. Restrict plugin functionality access to trusted administrator accounts only and audit existing administrator accounts for unauthorized access.
قم بتحديث إضافة Schedule Post Changes With PublishPress Future إلى الإصدار 4.10.1 أو أحدث. طبق التحقق الصارم من المدخلات واستخدم دوال الهروب المناسبة مثل wp_kses_post() للمحتوى HTML. قيد الوصول إلى وظائف الإضافة للحسابات الموثوقة فقط وراجع حسابات المسؤول الحالية للكشف عن الوصول غير المصرح به.