2 reflected XSS

[floyd-fuh]

You have two trivial reflected Cross-Site Scripting (XSS) issues that might have an impact or not, as I didn't test an attack vector/exploitability, e.g. I don't know if there is a trivial link-click exploit path (I simply didn't try because I don't even have this plugin installed anywhere). Nevertheless, I suggest you fix them:

oo-wp-plugin/plugin/Gui/AdminPageFormSettingsBase.php

Line 764 in 45e3373

echo '<input type="hidden" name="record_id" value="' . ( $_GET['id'] ?? 0 ) . '" />';

onoffice-for-wp-websites/plugin/Gui/AdminPageFormSettingsBase.php:762:          echo '<input type="hidden" name="record_id" value="' . ( $_GET['id'] ?? 0 ) . '" />';

and

oo-wp-plugin/plugin/Gui/AdminPageSettingsBase.php

Line 176 in 45e3373

echo '<input type="hidden" name="record_id" value="' . ( $_GET['id'] ?? 0 ) . '" />';

onoffice-for-wp-websites/plugin/Gui/AdminPageSettingsBase.php:170:              echo '<input type="hidden" name="record_id" value="' . ( $_GET['id'] ?? 0 ) . '" />';

Obviously if the URL GET parameter id is something like ?id="><script>alert(1)</script> this will trigger the alert.

Again, I didn't test it, there might be a hundred code paths that verify the id parameter to be numeric before this code is trigger - or not, I didn't check.

As far as I saw you know what HTML output encoding is and means, so this should be trivial to fix.

[yeneastgate]

@fredericalpers I will check and fix it asap

[yeneastgate]

@fredericalpers @floyd-fuh I have listed and checked the files that may have XSS and SQL Injection vulnerabilities in the table below, and I have updated the locations where XSS security errors may occur.

Please check and let me know your opinion. Thanks!

[fredericalpers]

Thank you for fixing this, we will review this asap.

[floyd-fuh]

looks ok to me