Cross-site Scripting vulnerability in Cakifo


Escape processing of image files in "Cakifo" is incomplete on image attachment pages. If Exif includes tag or JavaScript, arbitrary tags may be executed.

Products Affected


An arbitrary script may be executed on the user's web browser.


Update the theme

On August 12 2014, Cakifo 1.6.2 which contains a fix for this vulnerability has been released.

Don't allow untrusted users to upload images

By default, only users with the upload_files capability are able to upload images. If you allow untrusted users to upload images, you should either disallow that or update the theme to the latest version.


CVE Identifier