漏洞概述 该网页截图显示了一个WordPress插件目录中的代码文件,具体路径为 。文件最后更新时间为2020年3月4日,由creativehemes.sh提交,文件大小为8.4 KB。 影响范围 该漏洞影响使用Blocksy Companion插件的WordPress网站,特别是涉及产品评论功能的页面。 修复方案 1. 更新插件:确保Blocksy Companion插件已更新至最新版本,以获取最新的安全补丁。 2. 代码审查:检查并审查相关代码,确保没有未过滤的用户输入直接输出到页面。 3. 输入验证:对所有用户输入进行严格的验证和过滤,防止恶意代码注入。 4. 输出编码:在输出用户数据时,使用适当的编码函数(如 )来防止XSS攻击。 POC代码 以下是截图中包含的POC代码块: ```php <?php / Blocksy Companion Plugin @package Blocksy @author CreativeThemes @version 1.0.0 */ if ( ! defined( 'ABSPATH' ) ) { exit; } $atts = apply_filters( 'blocksy:product-reviews:front:atts', $atts ); $gallery_images = array(); if ( ! empty( $atts['gallery'] ) ) { $gallery_images = $atts['gallery']; } if ( ! empty( $atts['thumbnail_id'] ) ) { $gallery_images[] = $atts['thumbnail_id']; } $atts = array(); if ( ! empty( $atts['link'] ) ) { $atts['link'] = $atts['link']; } if ( ! empty( $atts['target'] ) ) { $atts['target'] = $atts['target']; } if ( ! empty( $atts['rel'] ) ) { $atts['rel'] = $atts['rel']; } if ( ! empty( $atts['title'] ) ) { $atts['title'] = $atts['title']; } if ( ! empty( $atts['class'] ) ) { $atts['class'] = $atts['class']; } if ( ! empty( $atts['style'] ) ) { $atts['style'] = $atts['style']; } if ( ! empty( $atts['data'] ) ) { $atts['data'] = $atts['data']; } if ( ! empty( $atts['aria'] ) ) { $atts['aria'] = $atts['aria']; } if ( ! empty( $atts['role'] ) ) { $atts['role'] = $atts['role']; } if ( ! empty( $atts['tabindex'] ) ) { $atts['tabindex'] = $atts['tabindex']; } if ( ! empty( $atts['id'] ) ) { $atts['id'] = $atts['id']; } if ( ! empty( $atts['name'] ) ) { $atts['name'] = $atts['name']; } if ( ! empty( $atts['value'] ) ) { $atts['value'] = $atts['value']; } if ( ! empty( $atts['placeholder'] ) ) { $atts['placeholder'] = $atts['placeholder']; } if ( ! empty( $atts['maxlength'] ) ) { $atts['maxlength'] = $atts['maxlength']; } if ( ! empty( $atts['minlength'] ) ) { $atts['minlength'] = $atts['minlength']; } if ( ! empty( $atts['pattern'] ) ) { $atts['pattern'] = $atts['pattern']; } if ( ! empty( $atts['required'] ) ) { $atts['required'] = $atts['required']; } if ( ! empty( $atts['disabled'] ) ) { $atts['disabled'] = $atts['disabled']; } if ( ! empty( $atts['readonly'] ) ) { $atts['readonly'] = $atts['readonly']; } if ( ! empty( $atts['autocomplete'] ) ) { $atts['autocomplete'] = $atts['autocomplete']; } if ( ! empty( $atts['autofocus'] ) ) { $atts['autofocus'] = $atts['autofocus']; } if ( ! empty( $atts['multiple'] ) ) { $atts['multiple'] = $atts['multiple']; } if ( ! empty( $atts['size'] ) ) { $atts['size'] = $atts['size']; } if ( ! empty( $atts['cols'] ) ) { $atts['cols'] = $atts['cols']; } if ( ! empty( $atts['rows'] ) ) { $atts['rows'] = $atts['rows']; } if ( ! empty( $atts['wrap'] ) ) { $atts['wrap'] = $atts['wrap']; } if ( ! empty( $atts['spellcheck'] ) ) { $atts['spellcheck'] = $atts['spellcheck']; } if ( ! empty( $atts['draggable'] ) ) { $atts['draggable'] = $atts['draggable']; } if ( ! empty( $atts['contenteditable'] ) ) { $atts['contenteditable'] = $atts['contenteditable']; } if ( ! empty( $atts['hidden'] ) ) { $atts['hidden'] = $atts['hidden']; } if ( ! empty( $atts['inert'] ) ) { $atts['inert'] = $atts['inert']; } if ( ! empty( $atts['popover'] ) ) { $atts['popover'] = $atts['popover']; } if ( ! empty( $atts['popovertarget'] ) ) { $atts['popovertarget'] = $atts['popovertarget']; } if ( ! empty( $atts['popovertargetaction'] ) ) { $atts['popovertargetaction'] = $atts['popovertargetaction']; } if ( ! empty( $atts['popovertargettoggle'] ) ) { $atts['popovertargettoggle'] = $atts['popovertargettoggle']; } if ( ! empty( $atts['popovertargethide'] ) ) { $atts['popovertargethide'] = $atts['popovertargethide']; } if ( ! empty( $atts['popovertargetshow'] ) ) { $atts['popovertargetshow'] = $atts['popovertargetshow']; } if ( ! empty( $atts['popovertargettoggle'] ) ) { $atts['popovertargettoggle'] = $atts['popovertargettoggle']; } if ( ! empty( $atts['popovertargethide'] ) ) { $atts['popovertargethide'] = $atts['popovertargethide']; } if ( ! empty( $atts['popovertargetshow'] ) ) { $atts['popovertargetshow'] = $atts['popovertargetshow']; } if ( ! empty( $atts['popovertargettoggle'] ) ) { $atts['popovertargettoggle'] = $atts['popovertargettoggle']; } if ( ! empty( $atts['popovertargethide'] ) ) { $atts['popovertargethide'] = $atts['popovertargethide']; } if ( ! empty( $atts['popovertargetshow'] ) ) { $atts['popovertargetshow'] = $atts['popovertargetshow']; } if ( ! empty( $atts['popovertargettoggle'] ) ) { $atts['popovertargettoggle'] = $atts['popovertargettoggle']; } if ( ! empty( $atts['popovertargethide'] ) ) { $atts['popovertargethide'] = $atts['popovertargethide']; } if ( ! empty( $atts['popovertargetshow'] ) ) { $atts['popovertargetshow'] = $atts['popovertargetshow']; } if ( ! empty( $atts['popovertargettoggle'] ) ) { $atts['popovertargettoggle'] = $atts['popovertargettoggle']; } if ( ! empty( $atts['popovertargethide'] ) ) { $atts['popovertargethide'] = $atts['popovertargethide']; } if ( ! empty( $atts['popovertargetshow'] ) ) { $atts['po