• Resolved The Fun Group

    (@thefungroup)


    Hi. We got a message from our wordfence team of this issue:

    The Currency Converter Widget – Exchange Rates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Do you know of a fix for this?

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author currencywiki

    (@currencywiki)

    Hello @thefungroup,

    Thank you for reaching out!

    We are aware of the reported Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 3.0.2 of our plugin. This vulnerability was due to inadequate input sanitization and output escaping on user-supplied attributes in the plugin’s shortcodes. We’ve addressed this issue in the latest update.

    Immediate Action:
    We have taken this issue very seriously and have already developed a patch to address this vulnerability. The patch includes:

    • Stored Cross-Site Scripting Vulnerability: Addressed and fixed a vulnerability related to Stored Cross-Site Scripting (XSS) in the plugin’s shortcodes. This was achieved through enhanced input sanitization and output escaping, ensuring that user-supplied attributes in the shortcodes are securely handled.
    • Strengthened Input Sanitization: Implemented improved input sanitization techniques to effectively clean user inputs, preventing the injection of malicious scripts.
    • Improved Output Escaping: Enhanced the output escaping mechanisms to ensure that any data displayed by the plugin is safe from script execution.

    A new version of the plugin, [Version 3.0.3], containing these security enhancements, is now available. We strongly recommend updating to this latest version immediately to ensure your website’s security and to protect against this vulnerability.

    Thread Starter The Fun Group

    (@thefungroup)

    Thank you for your assistance.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Stored Cross-Site Scripting’ is closed to new replies.