Vulnerability to Stored Cross-Site Scripting

  • Resolved BERJAYAbak25

    (@bak25)


    8 months ago

    Hi,

    I have a security alert from Wordfence since one week. The message on this page: https://wpscan.com/vulnerability/92b65cf0-a5a6-4143-bf9e-2fc57a63bd9f/

    The Passster plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page

    Do you think you’re making a patch? Thank you for your return

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support BERJAYACristian Raiber

    (@cristianraiber-1)

    8 months ago

    @bak25 – thanks for sending this in. We’re trying to get PatchStack to actually reply and tell us what “vulnerability” they’ve discovered this time.

    They’ve published the report but we’ve never received a detailed breakdown about HOW this vulnerability happens (aka how they tested for it).

    Right now, their report is just panicking users for nothing …

    We’ve emailed, multiple times, talked to their live chat AI bot … nothing yet. I’ve gone as far as directly pinged 3 of the people that work there asking them to take a look … still waiting.

    /Cristian.

    Thread Starter BERJAYAbak25

    (@bak25)

    8 months ago

    Thank you very much for your prompt response.

    Indeed, their repeated alerts and prevention emails are a good stress tool.

    To follow when the information will be communicated to you…

    Plugin Support BERJAYACristian Raiber

    (@cristianraiber-1)

    8 months ago

    @bak25 – we’ve pushed out a fix to address this supposed security vulnerability (the vulnerability assumes you have admin access to exploit it to begin with… )

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Vulnerability to Stored Cross-Site Scripting’ is closed to new replies.