bluesix

Wordfence is saying this issue still exists in 2.5.6 (unless this is a new XSS issue) https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/svg-support/svg-support-255-authenticated-author-cross-site-scripting-via-svg

Ah thanks for the tip! I looked into it – the conflict was with Formidable Forms PDF add-on. All sorted now!

Ticket sent.

I’m not sure why this is marked as resolved – it isn’t. Adding a filter work-around isn’t a fix. Are the plugin developers going to chime in on this bug?

Any update on this? It’s been two months.

Hi – no, not using an user role tools.

Hi Mikey – that update looks to have fixed the issue – notifications are now being sent.

[15-Mar-2024 23:35:21 UTC] PHP Fatal error: ?Uncaught Error: Failed opening required '/wp-content/plugins/wp-job-manager/wp-job-manager-autoload.php' (include_path='.:') in /wp-content/plugins/wp-job-manager/wp-job-manager.php:29

When can we expect an update? Your ad is obtrusive and in breach of rule 11.

Ahh, cool, yes it’s working when I view the sitemap index page. Had assumed it would get added into the dashboard admin, which is what confused me about using a filter. Thanks for the explanation!

Having trouble implementing this.

I have a pre_post_update hook which gets called when a post gets update/added, and inside that function, I’m calling the aioseo_sitemap_additional_pages filter function. My URL isn’t getting added to the additional pages list. (I have Additional Pages ON). Inside the aioseo_sitemap_additional_pages filter I’m calling error_log to confirm if it’s getting called, but nothing is getting written to the log. Should it be an action?

// called inside my 'pre_post_update' hook
add_filter( 'aioseo_sitemap_additional_pages', 'aioseo_sitemap_add_additional_pages' );		

function aioseo_sitemap_add_additional_pages( $pages ) {
  error_log(print_r('filter called', true)); // nothing getting written to debug log
  $pages[] = [
    'loc'        => 'https://www.[domain].com/our-listings/property/',
    'lastmod'    => Date('Y-m-d H:i:s'),
    'changefreq' => 'daily',
    'priority'   => 0.8
  ];
 return $pages;
}

• This reply was modified 1 year ago by bluesix.

Ah, that’s exactly what I was looking for, thank you!

Hi,

I’m still seeing this issue on another site. I’m getting the “MonsterInsights Summary” email from the client’s website, I click the “Unsubscribe” link in the footer of the email, and I get take to Settings > Advanced and the “Email Summaries” box is ticked/selected with the message “you need to connect to monsterinsights first”, an I’m not able to unsubscribe. Is there a fix for this? I don’t want to ‘connect to monsterinsights’ and I don’t want that email.

@jawada Wordfence is saying v4.2.0 still contains the vulnerability that was announced in August https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/popup-builder/popup-builder-4115-authenticated-admin-stored-cross-site-scripting

• This reply was modified 1 year, 1 month ago by bluesix.

@devmich & @tharg3 The reason I posted this thread this is because I received an email summary… your plugin update was seemingly deployed with it enabled, and no way to disable it. I’ve just checked on the affected site again now and it has been disabled, so seems like you’ve fixed it.

• This reply was modified 1 year, 1 month ago by bluesix.
• This reply was modified 1 year, 1 month ago by bluesix.
• This reply was modified 1 year, 1 month ago by bluesix.
• This reply was modified 1 year, 1 month ago by bluesix.