Security vulnerability?

  • Resolved korg007

    (@gillesgagnon)


    11 months, 3 weeks ago

    Hi,

    It seems the plugin has a security vulnerability detected by WordFence. It reportedly affects all versions up to 3.1. The report is also validated by other sources on the web.

    Can you confirm please? will there be a security patch released soon?

    Cheers

Viewing 1 replies (of 1 total)
  • Plugin Author indextwo

    (@indextwo)

    Hi there, and thanks for the heads-up. I don’t know why, but we didn’t receive a notification about your post, or about the CVE that’s referenced by WordFence.

    We’ve just released a new major version update that should address the ‘sanitization’ issues that were raised in the CVE/WordFence; and at the same time, refactored a lot of the code, removing some old minor bugs, defunct code (don’t think we need to support Flash anymore…), added support for more SoundCloud widget features, and completely revamped the admin section.

    It’s also worth mentioning that the CVE stated that the vulnerability could only be executed by a bad actor with admin-level permissions. It goes without saying that properly sanitizing user inputs is absolutely correct (and that has been addressed with this update); but at the same time, if a site has a hacked/rogue user with admin-level permissions… they’ve got a lot more problems ??

Viewing 1 replies (of 1 total)
  • The topic ‘Security vulnerability?’ is closed to new replies.