I have a WordPress plugin that helps create an organization chart/tree and then generates a URL where the chart is available to be viewed by the public.
The plugin dashboard looks like this
the plugin uses window alerts to input from the user:
As the input is received, it's passed to the DB and added to it :
/**
* Handles org chart submission and saving
*/
if ( isset( $_POST['tree'] ) ) {
$this->handle_tree_update();
}
The handle_tree_update looks like this:
/**
* Saves the submitted tree into the DB
*/
private function handle_tree_update() {
$tree = json_decode( wp_unslash( $_POST['tree'] ), true );
if ( $tree ) {
/**
* Converts nested tree object to a flat array
*/
$teams = $this->get_teams_from_nested_tree( $tree );
update_option( self::OPTION_NAME, $teams );
}
}
Is this cycle vulnerable to any security threats?
If this were a normal application, then the input passed could have been used for injection attacks and the input would have needed to be sanitized. The inputs here are taken from an authorized admin(the UI shows inside the WordPress site's dashboard) so even if they are not sanitized, the input is always going to be malign free. Assuming the WordPress site is not configured with default credentials.
Is this flow vulnerable to XSS attack?
