Reflected Cross Site Scripting (XSS) vulnerability

Resolved Autosoft B.V.
(@autosoftbv)

2 years, 9 months ago
Our WP toolkit (Plesk) informed us there’s a vulnerability.
Please fix.

WordPress Date Picker by Input WP – Sync bookings with external Calendars (.ics) plugin <= 2.2 – Reflected Cross Site Scripting (XSS) vulnerability
- This topic was modified 2 years, 9 months ago by Autosoft B.V..

Viewing 10 replies - 1 through 10 (of 10 total)

niel.o
(@nielorit)

2 years, 9 months ago

Hi there,

Thank you for notifying us about the potential vulnerability in our WordPress Date Picker plugin. Could you please provide more details or logs of the issue? This will help us promptly address and resolve the problem with the assistance of our developers.

Your cooperation is highly appreciated.

Best,

Niel, Input WP Support Team

Thread Starter Autosoft B.V.
(@autosoftbv)

2 years, 9 months ago

Unfortunately I dont have any more detailed info about this issue,
it was automatically reported by our Plesk server WordPress Toolkit.

If you can point me in any direction how to create the logs and/or info you need, I will try to provide it to you.

The only info i have right now:

“WordPress Date Picker by Input WP – Sync bookings with external Calendars (.ics) plugin <= 2.2 – Reflected Cross Site Scripting (XSS) vulnerability”
Thread Starter Autosoft B.V.
(@autosoftbv)

2 years, 9 months ago
It was also just reported by Wordfence.
Supposedly it’s caused by Freemius SDK

Your plugin uses version 2.4.3 of the SDK
it should at least be version 2.5.10 according to Freemius

https://www.wordfence.com/threat-intel/vulnerabilities/detail/freemius-sdk-259-reflected-cross-site-scripting-via-fs-request-get
- This reply was modified 2 years, 9 months ago by Autosoft B.V..
niel.o
(@nielorit)

2 years, 9 months ago

Hi there,

Thanks for letting us know about the issue! We’ll pass it to our devs for a closer look. We’ll keep you posted! 😊

Best,

Niel, Input WP Support Team

BlueSteam
(@bluesteam)

2 years, 9 months ago

I can confirm that I too was warned today about this vulnerability from Wordfence.

Any news on an update about this? If not I will need to find an alternative plugin.

niel.o
(@nielorit)

2 years, 9 months ago

Hi there,

Thanks for sharing your concern. I’ve already reported the vulnerability to the developers. Thanks for your patience.

Best,

Niel, Input WP Support Team

Efs
(@stevendigital)

2 years, 8 months ago

Hello @nielorit

Today I also saw this vulnerability popping up in Wordfence that affects your plugin :

Freemius SDK <= 2.5.9 – Reflected Cross-Site Scripting via fs_request_get

Please check on this matter. Here is the whole report from Wordfence.

Best Regards

Thread Starter Autosoft B.V.
(@autosoftbv)

2 years, 8 months ago

Any updates on this? @nielorit
niel.o
(@nielorit)

2 years, 8 months ago
Hello Autosoft,

We’ve just rolled out the fix for the Freemius vulnerability by updating to v2.5.10 today. 👍 Here are the details:
- Fix Freemius vulnerability by updating to v2.5.10
- Tested for compatibility with WordPress v6.3.1
- Tested for compatibility with Contact Form 7 v5.8
- Tested for compatibility with Divi v4.22.1
Thanks for keeping an eye out, and let us know if you need anything else!

Best,

Niel, Input WP Support Team
Thread Starter Autosoft B.V.
(@autosoftbv)

2 years, 8 months ago

Thank you for the fix.
Everything seems to be working properly.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Reflected Cross Site Scripting (XSS) vulnerability’ is closed to new replies.