logo
DATABASE RESOURCES PRICING ABOUT US

Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload) The CSRF was fixed in 1.5.1, however further sanitisation was done in v1.5.2 to 1.5.4


Related