Plugin using vulnerable Moment.js lib

  • Resolved Anonymous User

    (@anonymized-20871082)


    1 year, 11 months ago

    As i use this plugins i run a vulnerability test and i got info that Moment.js that is 2.22.2 is used in this plugin and it has a a bug in it
    just a short info.
    In September 2020, a critical security vulnerability was discovered in Moment.js versions 2.18.0 through 2.24.0, which allowed attackers to execute arbitrary code on a user’s computer when parsing a maliciously crafted date string.

    Can it be updated?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Prashant Rai

    (@prashantrai)

    1 year, 11 months ago

    Hey @montifit – Thanks for reaching out!

    We’ve notified our developers about this issue and plan to address it by updating the library in an upcoming version of the plugin. However, there’s no need to worry as the library is only used by administrators in the site and plugin admin area, so regular site visitors won’t be able to cause any harm. Additionally, the date processed by moment.js is not stored in the database, which means that the code can only be executed on the attacker’s computer.

    Kindly,

    Prashant Rai

    (@prashantrai)

    1 year, 9 months ago

    Hey @montifit – Thanks for the your patience!

    When you have sometime, can you please update the WPForms lite to the latest version 1.8.2.1 which should fix the issue that you were facing?

    Please let me me know how it goes.

    Kindly,

    Thread Starter Anonymous User

    (@anonymized-20871082)

    1 year, 9 months ago

    Yes, it looks like all is ok

    Prashant Rai

    (@prashantrai)

    1 year, 9 months ago

    Hey @montifit – We’re thrilled to hear that the issue is resolved now, and thanks for letting us know. For now, I’m going to close the ticket, but if you have any questions, please feel free to reach out.

    Kindly,

    • This reply was modified 1 year, 9 months ago by Prashant Rai.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Plugin using vulnerable Moment.js lib’ is closed to new replies.