Safe SVG not updating automatically – Cross Script Bypass Vulnerability

  • Hello. I had until today the Safe SVG 2.0.3 installed in a WordPress website. WordPress will not show the 2.0.3 is the older version and will not tell me to update it for the new 2.1.0 version. Therfore, for me it was all fine and updated. Not sure, but this is probably a bug in your plugin, which would normally ward users to update it.

    This would not be any big issue except that the previous version 2.0.3 was vulnerable to Cross Site Scripting Bypass according to Wordfence SVG Sanitizer library <= 0.15.4 – Cross-Site Scripting Bypass (wordfence.com) . I had to download the SaveSVG 2.1.0 and upload it manually and I resolved the issue.

    However, I would recommend you fix the automatic update issue with your plugin inside WordPress Plugin dashboard and this will avoid your users to continue exposed to this vulnerability.

    I hope to have helped and thank you for your great plugin.

    Kind regards

    IM

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Support Darin Kotter

    (@dkotter)

    Thanks for the report. I’ve tested this myself and I am seeing the prompt to update to the latest version and I know others have seen the same thing.

    Do you have any special setup as far as handling plugin updates? Any sort of update management plugins in place? Also, are you running PHP 7.4+? The latest release only works on 7.4+ so if you’re running below that, you still should see a notice but won’t be able to update.

Viewing 1 replies (of 1 total)
  • The topic ‘Safe SVG not updating automatically – Cross Script Bypass Vulnerability’ is closed to new replies.