Hi Otto,
“Insecure” covers a multitude of possibilities, ranging from the very hard to trigger and very limited in impact when triggered, up to the easy to trigger and disastrous in impact. Time is a limited resource, and people like to prioritise their time based on the most pressing problems. Having no information upon whether a problem is pressing or not is very unhelpful to the operators of the 10,000+ active sites that this is on, who, in the absence of any information, are forced to assume the worst.
I’m also a plugin developer, not a simple end-user. If a problem is an easy one-line fix, then it’s easier for me to make the fix than to research migration paths and move to a different plugin. Again, not having that information is frustrating and leads to unnecessary duplication of work.
In the case of this particular plugin, I’ve audited the code. Users are susceptible to targeted persistent XSS attacks. Googling shows that others have also done so and come to the same conclusion.
David
