Plugin inspection:

New Blog Templates

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.

Findings

  • Does not escape all HTML (for example the Template Name field) (capability required appears to be manage_network)
  • For some reasonĀ it attempts to strip SCRIPT tags out of template and category descriptions with regular expressions (blogtemplatesfiles/admin/categories_menu.php line 138, blogtemplatesfiles/admin/main_menu.php line 417). It doesn’t work because you can just use `<img onerror=”alert(3)” src=””>` instead. It’s unclear what it’s attempting to prevent
  • No other issues found

Failure criteria

  • Lack of proper output escaping

Read more about our failure criteria.