New Blog Templates

Allows the site admin to create new blogs based on templates, to speed up the blog creation process

More information »

No issues found

Confidence: Medium This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe.

More information about this recommendation

Findings

  • Does not escape all HTML (for example the Template Name field) (capability required appears to be manage_network)
  • For some reason it attempts to strip SCRIPT tags out of template and category descriptions with regular expressions (blogtemplatesfiles/admin/categories_menu.php line 138, blogtemplatesfiles/admin/main_menu.php line 417). It doesn’t work because you can just use `<img onerror=”alert(3)” src=””>` instead. It’s unclear what it’s attempting to prevent
  • No other issues found

Failure criteria

Read more about our failure criteria.

Fail Lack of proper output escaping

We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.

Please read this site's terms of service before taking any action based on information published here.

Testers
Tom Adams
Last revised
December 22, 2016
Versions tested
2.8.3
Plugin homepage
New Blog Templates
Other versions

None listed