Plugin vulnerable to Reflected Cross-Site Scripting

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author HelgaTheViking

    (@helgatheviking)

    hi, thanks for reporting this. It’s not entirely clear to me what the problem is. Are there line numbers or specific references? I’m on sabbatical at the moment but can try to look at this when I return in a few weeks.

    Also open to pull requests…

    Thread Starter mprofile

    (@mprofile)

    Sorry, in this case I am only the messenger. But I had a sneaking suspicion you where not aware of this. We run Wordfence on our site and got this message. Yesterday I did some digging myself but I also could’nt find any details, which would have been nice to determine the scope and if – in our specific case – there would have been a chance on data leakage. But nothing specific was posted only – that I could find, at least.

    Looking in the code of the plugin – I am not a dev – I saw in the last version you already did sanitize the parameter. So I am also at a loss at this moment. Maybe reach out to Wordfence or the original poster to see what’s what?

    Plugin Author HelgaTheViking

    (@helgatheviking)

    i was not aware, so appreciate you bringing it to my attention. I’m still on sabbatical so can’t look at it myself, but some folks from Twitter have contributed a bit on GitHub. We’re off to a promising start.

    Plugin Author HelgaTheViking

    (@helgatheviking)

    with some community help, 1.9.3 was released and (in theory) should patch this issue. Hopefully the release worked… Everything has been difficult to do from my phone

    lemme know how it goes.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Plugin vulnerable to Reflected Cross-Site Scripting’ is closed to new replies.