Thank you for your message. No, that vulnerability does not apply in this case, so there is no need to update the code.
There is no way for anyone outside the PHP script to force an unsafe value into this function call, so the inputs do not need to be escaped. Moreover, because a ‘base URL’ is provided to the add_query_arg function, the issue highlighted in the link you sent does not apply – the danger is when it defaults to the value of $_SERVER[‘REQUEST_URI’] which can potentially be altered by something that manipulates the browser.
Just in case you look for similar potential issues in other plugins, please could I suggest that you contact authors directly by email in future so that you don’t inadvertently alert people who might try to exploit it? If in doubt, WordPress’ own plugin/security team will help: plugins at wordpress dot org.
Thanks again for getting in touch anyway, and for keeping an eye out for everyone!
Dan
Thread Starter
KTS915
(@kts915)
Thanks for both the explanation and advice!
