Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor Josh Pollock

    (@shelob9)

    As you are probably aware, there was a published report of a possible XSS exploit in Pods. This issue was technically true, but posed no real practical danger, as you had to be logged in as an administrative user to carry them out.

    For example, when logged in as admin user, you were able to use an XSS exploit to delete Pods data. When logged in as an admin user you can also go to Pods Admin->Settings and from the reset data tab click the blue button to delete all of your data.

    Any issues contained in that report that were noted are fixed that we could reproduce. Specifically the XSS issue with URL escaping output for valid IDs in the query args was fixed because even though it is a minor issue, we do think it is best to ensure that gets cleaned up.

    If you have a new concern that was not noted in that report, then please send it privately to contact@pods.io and/ or security@wordpress.org and we will address it.

    Thread Starter mythusmage

    (@mythusmage)

    So, it is safe. Guess I give it a try.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Sorry’ is closed to new replies.