• Resolved montifit

    (@montifit)


    As i use this plugins i run a vulnerability test and i got info that Moment.js that is 2.22.2 is used in this plugin and it has a a bug in it
    just a short info.
    In September 2020, a critical security vulnerability was discovered in Moment.js versions 2.18.0 through 2.24.0, which allowed attackers to execute arbitrary code on a user’s computer when parsing a maliciously crafted date string.

    Can it be updated?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hey @montifit – Thanks for reaching out!

    We’ve notified our developers about this issue and plan to address it by updating the library in an upcoming version of the plugin. However, there’s no need to worry as the library is only used by administrators in the site and plugin admin area, so regular site visitors won’t be able to cause any harm. Additionally, the date processed by moment.js is not stored in the database, which means that the code can only be executed on the attacker’s computer.

    Kindly,

    Prashant Rai

    (@prashantrai)

    Hey @montifit – Thanks for the your patience!

    When you have sometime, can you please update the WPForms lite to the latest version 1.8.2.1 which should fix the issue that you were facing?

    Please let me me know how it goes.

    Kindly,

    Thread Starter montifit

    (@montifit)

    Yes, it looks like all is ok

    Prashant Rai

    (@prashantrai)

    Hey @montifit – We’re thrilled to hear that the issue is resolved now, and thanks for letting us know. For now, I’m going to close the ticket, but if you have any questions, please feel free to reach out.

    Kindly,

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Plugin using vulnerable Moment.js lib’ is closed to new replies.