Plugin Security Alert History and last one not resolved since a 1 month ago

  • Resolved ibiza69

    (@ibiza69)


    1 year, 4 months ago

    Dear friends, for us, the people who try to trust your plugin and use it, it would be appreciated if when problems or vulnerabilities appear in the plugin, they are resolved as “urgently” as possible.

    Below, I show you the last one, among many that we have had to face, this last one from September 26, 2023 and as of today, November 1, 2023, it has not yet been patched or resolved, more than 1 month later…

    Notification from: “iThemes Security (Now: Solid Security)

    WordPress “Popup Builder” plugin <= 4.2.0 – Admin+ Stored Cross-Site Scripting vulnerability

    • Publicly disclosed: SEPTEMBER 26, 2023

    DETAILS: Admin+ Stored Cross-Site Scripting vulnerability discovered by Dipak Panchal (th3.d1pak) in WordPress Plugin Popup Builder (versions <= 4.2.0)

    • Software: Popup Builder
    • Vulnerable versions: <= 4.2.0
    • CVE: CVE-2023-3226
    • Classification: Cross Site Scripting (XSS)
    • 5.9 Medium severity – CVSS 3.1 score

    Dipak Panchal (th3.d1pak) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Popup Builder Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

    Vulnerability history: 12

    26 September, 2023: Admin+ Stored CrossSite Scripting vulnerability <= 4.2.0

    30 June, 2022: CrossSite Request Forgery (CSRF) leading to plugin settings update

    20 June, 2022: Authenticated Stored CrossSite Scripting (XSS) vulnerability

    17 June, 2022: CrossSite Request Forgery (CSRF) vulnerability leading to Popup Status Change

    7 March, 2022: SQL Injection (SQLi) vulnerability to Reflected CrossSite Scripting (XSS)

    24 January, 2022: Local File Inclusion (LFI) leading to Remote Code Execution (RCE)

    24 January, 2022: SQL Injection (SQLi) vulnerability

    28 January, 2021: Authenticated Local File Inclusion (LFI) vulnerability

    28 January, 2021: Authenticated Deleting/Importing Subscribers vulnerability

    28 January, 2021: Authenticated Newsletter Send With Custom Content And Sender vulnerability

    14 December, 2020: Multiple Stored CrossSite Scripting (XSS) vulnerabilities

    16 February, 2020: SQL injection (SQLi) vulnerability

    6 August, 2019: SQL Injection (SQLi) vulnerability

    It would be greatly appreciated, if before releasing plugin updates, they were reviewed in depth, looking at the number of past and current events, before exposing your followers, their websites and clients, to this type of unfortunate problems.

    Thank you very much and again, we are still waiting for this to be resolved urgently.

Viewing 1 replies (of 1 total)
  • Plugin Support Jawad Ahmed

    (@jawada)

    Hi,

    We apologize for any inconvenience caused. We are pleased to inform you that the security vulnerability you reported has been addressed and resolved in our latest update, version 4.2.2. I will now mark this thread as resolved. If you require further assistance or have any additional questions, please don’t hesitate to contact us through our support portal. Our team is always here to help!

    https://help.popup-builder.com/en/

    Sincerely,

Viewing 1 replies (of 1 total)
  • The topic ‘Plugin Security Alert History and last one not resolved since a 1 month ago’ is closed to new replies.