Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author George Gkouvousis

    (@gkouvousisg)

    Hey Neval.

    Unfortunately, there are no details in this CVE report – thus, nothing to identify at this time. That can be a valuable report with hidden data at the moment, or a completely false one.

    At this time, no XSS issues are reported. If you have more details about your mentioned issue, feel free to share them here.

    Thread Starter neval123

    (@neval123)

    Heya! Indeed, I can’t find a proof of concept either. There’s a bit more info here though – https://patchstack.com/database/vulnerability/read-more-without-refresh/wordpress-read-more-without-refresh-plugin-3-1-cross-site-scripting-xss-vulnerability

    However, it seems it requires “Administrator +” privilege to perform the attack, so it shouldn’t be an issue for most websites (where there’s just one user or admin), right?

    In the meantime, I want to thank you for the amazing and unique plugin you developed. It’s literally perfect for what I needed. 🙂 Congrats and thank you for all your hard work, it’s much appreciated!

    • This reply was modified 1 year ago by neval123.
    • This reply was modified 1 year ago by neval123.
    projecta

    (@projecta)

    MalCare is also reporting this. Not a lot of detail, though.

    Thread Starter neval123

    (@neval123)

    That’s so frustrating… I mean, I understand not disclosing the proof of concept publicly, to prevent people from trying to hack others, but I was under the impression that whenever such vulnerabilities are discovered, they (MalCare, iThemes, Patchstack, etc.) get in touch with plugin developers and provide them with the required information to update their code.

    If that’s not the case, can’t you contact them, @gkouvousisg?

    Anonymous User 20889438

    (@anonymized-20889438)

    @gkouvousisg,

    If you have more details about your mentioned issue, feel free to share them here.

    Kinda obvious, but the mentioned issue is an admin+ one, so you just need to validate/sanitize/escape 9 out of 9 input fields on the plugin settings page. That’s it.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Please stop arguing this here. This should be disclosed PRIVATELY with the developer. If the developer is not responsive, please email plugins@wordpress.org with details of the vuln.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Issue in version 3.1’ is closed to new replies.