Authenticated (Contributor+) Stored Cross-Site Scripting

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author livemesh

    (@livemesh)

    Thanks for reaching out to us. Pls expect a fix within next 6 hours. I am given to understand that this can be exploited only if someone has an account on your site and has access to the plugin settings window. That implies user has already been granted admin permissions for the site by you.

    Plugin Author livemesh

    (@livemesh)

    We have reached out the reporting authority on this. Our analysis with the tools available with us showed no vulnerability in the plugin. Will wait for their reply in next few hours.

    Thread Starter Jos Klever

    (@josklever)

    Thanks for your quick response. How I read it, all accounts with a role with Contributer or higher (not necessarily Administrator) might be able to add malicious scripts to the content, so some sanitization might be missing.

    For my client’s site there are only a few trusted (admin) accounts, so there’s no danger, but I hope the reporter will share the details with you soon, so this can be fixed for the other users.

    Plugin Author livemesh

    (@livemesh)

    Thanks Jos. I am in touch with PatchStack about this. Waiting for the original report from them. Due to a server configuration issue, the report sent to our email never reached us before this was made public.

    Plugin Author livemesh

    (@livemesh)

    The plugin has been patched for the issue found. Pls update to the 3.6 version. Sorry this took some time since we had to reach out to patchstack team to obtain the audit report. Thanks

    • This reply was modified 11 months, 2 weeks ago by livemesh.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Authenticated (Contributor+) Stored Cross-Site Scripting’ is closed to new replies.