Ducktales

@rawrly This is not a potential threat directly related to the Simple History plugin. You should remove this fake ‘vulnerability’ from your database. It is very misleading for website admins.

@eskapism Yeah it is way too generic, talking about potential harm outside the plugin when the CSV file is misused for malice. That ‘danger’ applies to every computer file ever created.

Patchstack should not have allowed this report by their terms.

Same alert in Plesk WP Toolkit. It comes from Patchstack:

https://patchstack.com/database/vulnerability/simple-history/wordpress-simple-history-plugin-3-3-1-csv-injection-vulnerability?_a_id=110

Thank you

Thank you!

@blobfolio Thanks a lot!

You are so quick with fixes. Really cool.

Thanks!

It’s fixed!

Wow that was quick! Thanks a lot!!

Works fine for me on WP v4.5.3 and plugin v0.10.2

It would be better to include the protocol directly from the base url setting. Actually, I don’t understand why you are altering the value of that setting in ImageUploader.php getHostUrl(). It should be used as provided.

ImageUploader.php – getHostUrl()

return $url ?: WpAutoUpload::getOption('base_url');

wp-auto-upload.php – save()

$base_url = $uploader->getHostUrl() ?: null;

Ah ok, thanks.