Support » Plugin: Google XML Sitemaps » Google-sitemap-generator flagged with XSS vulnerability

  • bluebearmedia

    (@bluebearmedia)


    Please note this plug-in has been flagged with a possible XSS at the WPScan Vulnerability Database >> https://wpvulndb.com/vulnerabilities/8762

    Some clarification from the plugin author would be very helpful on this issue.

    The vulnerability is reported to exist in the current version.

Viewing 7 replies - 1 through 7 (of 7 total)
  • linux4me2

    (@linux4me2)

    If I’m interpreting the information from the link you posted correctly, it looks like the XSS vulnerability is with the PayPal button on the Admin side, so it seems like the plugin should be safe to use unless having someone with admin access trying to exploit the vulnerability is a concern.

    bluebearmedia

    (@bluebearmedia)

    I don’t disagree with you, but there is no reason that line of code shouldn’t be sanitized to remove the issue.

    Looks like the author has bowed out, so it won’t be fixed unless someone does it themselves.

    Line 1300 of sitemap-ui.php appears to be the problem —

    Original:
    <input type="hidden" name="return" value="<?php echo 'http://' . $_SERVER['HTTP_HOST'] . $this->sg->GetBackLink(); ?>&sm_donated=true" />

    My modification:
    <input type="hidden" name="return" value="<?php echo '' . htmlspecialchars($_SERVER['HTTP_HOST'], ENT_QUOTES, 'UTF-8') . $this->sg->GetBackLink(); ?>&sm_donated=true" />

    Which version of Google XML Sitemaps do you have installed?

    The author was lax with his changelog. The version I have installed shows “Version 5.4.1 //actual version: 3.4.1”!? If you click on the View Details link it shows Version 4.0.8. If you click on the Changelog link, it sends you to the plugin website. The website shows the last version as Version 4.0.8 (2014-11-15).

    There are no similar lines of code in the version of this plug-in that I have installed.

    No idea…. maybe the plugin author changed plug-in threads or something?
    But the latest version that was available that I could get had the flaw. If he’s made an new version but outside the WP plug-in repository, that’s not an appropriate solution to the issue.

    I was curious to know what version number is shown on your installation?

    4.0.8 – and the unsanitized code WAS in that version (I changed it myself…)

    I have been using this plugin for years and can’t recall the last update.

    My version was showing:
    Plugin version: 5.4.1 // Actual version: 3.4.1 ($Id: sitemap-core.php 890782 2014-04-10 19:16:31Z arnee $) – this is what the plugin actually shows.

    If wp-debug was on, I was getting pages of php errors from a mysql_ error, which I stopped by prepending an @ before the mysql_.

    Because this issue in would stop the plugin working with PHP 7, I was in the process of changing to use script without the plug, but checking the support again, noticed reports about the XLS vulnerability. The fix you posted revealed that the php files were different.

    Going to the repository, I did not find version 5.4.1 and it appears that indeed my version must be 3.4.1. Also the above-mentioned mysql_ errors were fixed and do not appear in version 4.0.8.

    My question now is how and why did version 5.4.1 get into the WordPress plugin directory.

    I am now switching to version 4.0.8 and will apply your fix. Thank you!

    • This reply was modified 2 months, 1 week ago by  Malae.
Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.