Vulnerable to Cross Site Scripting (XSS)

Hi,

A revised version of the plugin was released two weeks ago. The reports on different websites are for version 1.5.9. It has been republished on the WordPress plugin repository following a review by the WordPress plugin review team.

br,

Hi Zayed,

Thank you for your prompt response.

I am currently running version 1.6.1 of the website, but I am still receiving notifications with the message “No Fix Available” for versions equal to or lower than 1.6.1.

I’m wondering why this issue hasn’t been recognized as fixed. Normally, the team is very fast with that. Perhaps the fix that was implemented wasn’t the correct one for this particular issue?

Thank you and best regards,

Thomas

Hi, same problem here. Same with updated to Version 1.6.1.
WordPress Twenty20 Image Before-After Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)

Hey Zayed, after receiving the messages from my iThemes Plugins every single day, i was thinking about forwarding them every single day here to you too, but that would be quite annoying so I decided io listen to some Music while I really hop you guys can fix this soon. https://youtu.be/aGSKrC7dGcY

@zayedbaloch I guess you just keep ignoring this for quite some more time right?

• This reply was modified 1 year, 6 months ago by togemaxxmedia.

This is a false positive. The CVE that was reported was for ver <=1.5.9 yet patchstack for some reason is tagging the latest version and earlier (<=1.6.1).

Even the patchstack url refers to v 1.5.9 not 1.6.1! I couldn’t find any way to report this error to patchstack.

https://patchstack.com/database/vulnerability/twenty20/twenty20-image-before-after-1-5-9-contributor-stored-xss

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4580