I’ve an external security test performed on our site and they found you can upload files and then execute embedded html code.
To reproduce this issue perform the following steps:
1. Navigate to https://YourSite.com
2. Start an order.
3. Create a text file containing HTML content, like the below and save this with the
.png file extension.
alert(document.domain);
4. Upload this file in your order form.
5. Once the file has uploaded, click the created link.
6. Observe that an alert pops up.
The only option I have in Checkout Files Upload/Template/Uploaded file are:
%file_name%, %image%, %remove_button%.
Is there an alternative to %file_name% that is not an HTML link?
30-Day No Hassle Refund Policy
This is the forum for feature requests only. If you need support please open a ticket at https://wpwham.com/support/