Vulnerability Reported on iThemes

Hello,

I don’t work on this plugin that often anymore, but if there’s details on how I can patch the issue, I will certainly do so.

I’ll need more details however, since there’s nothing here to go on. Is there a specific note about what exactly the vulnerability is supposed to be?

@wraithkenny :
I also got a critical warning, Here is some more information from wordfence:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/scripts-n-styles/scripts-n-styles-352-authenticated-administrator-stored-cross-site-scripting

“This only impacts multi-site installations and installations where unfiltered_html has been disabled.”

As noted on the other thread, this is certainly a false positive, since the admin code is completely disabled when unfiltered_html is disabled. Thanks for linking to that, much appreciated.

I’ve release 3.5.3, which disables the plugin completely if DISALLOW_UNFILTERED_HTML is set to true, and also disables the old code for upgrading meta data with the old key.

This should remove any surface for the reported vulnerability.

Great, thanks!

Just for your info, the original reporters have marked this as fixed on their site, you shouldn’t see any warnings anymore.