Pending a full review

www.remarpro.com has contacted us about what they believe is a potential Authenticated Reflected XSS issue. That means that it’s a security issue that can only occur when you are logged in to your site and somehow are tricked into clicking on a link that contains some malicious JavaScript code.

I have checked through plugin code, and I believe the report to be a false positive. Using the example malicious link they provide, there’s nothing in the plugin code that would actually output the malicious JavaScript on the site.

It does, however, generate a parse error, and so the only way that this could be a genuine XSS vulnerability is on a site where error reporting is set to just directly output error messages on the screen unescaped.

I’ve created a patch to address this edge case and uploaded it as v2.14.2, so we’re just waiting for the www.remarpro.com Plugin Team to respond. You can grab it from GitHub in the meantime if you’re concerned you might be affected by the issue:

• This reply was modified 2 years, 6 months ago by Steven Stern (sterndata).
• This reply was modified 2 years, 6 months ago by Jan Dembowski.

*Reads.*

I am closing this topic down and archiving the replies.

@bungeshea I fully understand that you mean well and want to help you opensource collaborators here. But please work with the plugins team and do not provide a link to that alternate download that way.

The plugins team will complete the review and no, there is no timeline for that. It will take as long as it takes.

Reply to their emails, wait for a response from them and let the review process work itself out. That’s the best course of action for you and your opensource collaborators who use your plugin.