Plotly – dxw advisories

Use with caution

Last revised: July 9, 2015

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

Stored XSS in Plotly allows less privileged users to insert arbitrary JavaScript into posts

Findings

The plugin does not escape its output. This allows WordPress users who do not have the “unfiltered_html” capability to insert JavaScript. By default only Admins on single sites, and Super Admins on Multisite have the unfiltered_html capability.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Does not properly escape output.

Failure criteria

Lack of proper output escaping