<= 2.4.7 – Cross-Site Scripting (XSS) vulnerability

Ok, I’m waiting to hear more about this from either www.remarpro.com or WordFence Security.

In the past whenever I’ve had security issues with Slide Anything, www.remarpro.com or WordFence Security (or both) have contacted me and provided details on the issue, how to replicate it etc.

Recently (within the last year), www.remarpro.com contacted me and told me I had to go through the entire plugin and sanitize all inputs (and escape all outputs) to make the plugin totally secure, otherwise they would delist the plugin. This included sanitizing titles, text inputs text areas etc… This was an exhaustive process but I did it and www.remarpro.com confirmed this as of release 2.4.0 for Slide Anything. I have not heard back anything since.

I have not added any new input fields and new functionality to the plugin since, so I am wondering if this is a red herring or maybe security scanners are acting on old information. But maybe I missed something (and www.remarpro.com missed it). I’m sure if it’s a real issue www.remarpro.com will contact me shortly about it.

Thanks for responding. Please keep us in the loop. I love your plugin!

You made the list:

https://ithemes.com/blog/wordpress-vulnerability-report-march-22-2023/?utm_source=WordPress+News+%26+Updates+from+iThemes&utm_campaign=61cf61c692-3_22_2023_ITSEC&utm_medium=email&utm_term=0_35856077f7-61cf61c692-301490621&mc_cid=61cf61c692&mc_eid=d0aa9d2f32

Thank you! I’ll update!

Ok I am closing this topic now as version 2.4.9 solves the security vulnerability.

iThemes Security seems to be saying 2.4.9 is still vulnerable (We also have Qualys WAS which hasn’t picked anything up), the links have pretty poor information with links to https://www.cve.org/CVERecord?id=CVE-2023-28499 and https://patchstack.com/database/vulnerability/slide-anything/wordpress-slide-anything-plugin-2-4-7-cross-site-scripting-xss-vulnerability?_a_id=431 and thats it (Not seen lack of information like this before)

PatchStack has just not updated their database.

You will see that on PatchStack, FearZzZz is listed as the person who discovered the vulnerability. This is who I’ve been dealing will via email correspondence and he has confirmed to me via email (and also see above previous comment) that this vulnerability is resolved.