This both is and isn't a security hole. By that I mean I agree it is a security hole, but it is not exploitable.
The Setup Wizard can only be run by a logged in webmaster, and thus no non-privileged user can set this.
Additionally, CSRF protection exists, such as tokens in forms, referrer checking, and session validation, to prevent remote control of this kind of thing.
Regardless, this will be fixed in our next patch release, and I do thank you for your report. We strive to fix all issues, even if we don't believe them to be exploitable.
(Click to enlarge)
#3503 - Persistent XSS
Thanks for the report.
This both is and isn't a security hole. By that I mean I agree it is a security hole, but it is not exploitable.
The Setup Wizard can only be run by a logged in webmaster, and thus no non-privileged user can set this.
Additionally, CSRF protection exists, such as tokens in forms, referrer checking, and session validation, to prevent remote control of this kind of thing.
Regardless, this will be fixed in our next patch release, and I do thank you for your report. We strive to fix all issues, even if we don't believe them to be exploitable.