WordPress.org

Ready to get started?Download WordPress

Forums

WP-FaceThumb
[resolved] Reflected XSS-vulnerability CWE-79 (7 posts)

  1. henrisalo
    Member
    Posted 1 year ago #

    Hello,

    This plugin is vulnerable to refected XSS security vulnerability.

    [removed for security]

    I haven't verified this nor checked your plugins code. Could you tell me if this is indeed a valid report and if yes when do you plan to fix this?

    Please note that I am more than happy to provide help to fix this issue in case you need any.

    http://wordpress.org/extend/plugins/wp-facethumb/

  2. FYI, please don't post possible security issues like that in the forums. If it IS an issue, you've given the hack to more people. If not, it can hurt a legit plugin. YOu did the right thing by emailing plugins @ wordpress.org - We'll look into it :)

  3. henrisalo
    Member
    Posted 1 year ago #

    This was public issue already. I did not create the original announcement. More people can be affected by it if nobody knows about issue in the forums/WP community. XSS issues are usually so simple that people can even patch those by themselves if no patch is available from vendor (in this case plugin maintainer) or even in cases where vendor says "we don't have time to fix this" or similar explanation even the issue is verified.

    Do I get some kind of reply from plugins@ address if I notify about security vulnerabilities?

  4. mnttech
    Member
    Plugin Author

    Posted 1 year ago #

    Hello,
    I'm at work.
    I'll check that as soon as I'm home.
    What tool do you use to check this ?

  5. henrisalo
    Member
    Posted 1 year ago #

    I have not verified this yet. I am not the original founder of this vulnerability.

  6. mnttech
    Member
    Plugin Author

    Posted 1 year ago #

    Fixed!

    Thanks for pointing that out.

  7. henrisalo
    Member
    Posted 1 year ago #

    Please use CVE-2012-2371 for this issue. Add it to your changelog if possible, thanks.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic