XSS vulnerability

  • Hello! I see this plugin has been temporarily removed from the repository pending a review. I assume y’all have been informed of this publicly disclosed security vulnerability, but since I don’t see a topic for it, I figured I’d start one, just in case:

    The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

    WPScan

    A fix would be most welcome!

    The page I need help with: [log in to see the link]

  • You must be logged in to reply to this topic.

Tags