In that same alert for Wordfence, they reference this URL so I think there may be some error going on with Wordfence reporting?
https://plugins.trac.wordpress.org/changeset/2840328/blockonomics-bitcoin-payments/trunk/blockonomics-woocommerce.php
Description
The iubenda plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter_by’ parameter in versions up to, and including, 3.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
plugins.trac.wordpress.org
Hi,
we are investigating the report, and we are trying to keep in touch with Wordfence support: at first sight, it seems related to another plugin (not our plugin).
In fact their reference link leads you here: https://plugins.trac.wordpress.org/changeset/2840328/blockonomics-bitcoin-payments/trunk/blockonomics-woocommerce.php
And we confirm this is not our plugin.
We keep you posted when they clarify so we can provide you with a definitive answer!
Hi,
we want also to reassure you that you are safe if you use our plugin version 3.3.3 or higher since we have worked hard on the security side of our plugin.
In the meantime, we keep you posted when we receive clarifications from Wordfence support team (see my previous message) 🙂
Hi,
We have checked internally and I confirm we had a security issue in a previous version, it has been fixed with version 3.3.3, we noticed that the Wordfence reference is wrong and we’ve contacted them to fix it.
Note: we are sorry for the previous messages, they were imprecise, so please consider only this one.
Great, thanks for looking into this.
Current version being 3.4.1
Ced
(@cedriccharles)
Hello there 🙂
ManageWP report me the same type of error in security…
https://snipboard.io/lm3Wwg.jpg
What can I do?
Kind regards,
Cedric
Same here.
This is a very big issue, since we send reports to our clients and they can see that their website is not secure.
ManageWP support service says that they cannot fix it. Who can do it? Please update. Thanks
Hi @dharma23 and @cedriccharles ,
this is a false alert from ManageWP, we are already in contact with their customer care to have this incorrect information fixed.
Unfortunately, they rely on the same erroneous report from Wordfence that was mentioned in this thread, but this has been corrected by Wordfence team.
In the meantime we are trying to keep in touch again with ManageWP to see if they can fix it.
Hope this helps.
Hi @iubenda, do you have any update on resolving these false alerts with ManageWP, please? We have one client receiving a client report from ManageWP showing over 1 month’s worth of vulnerabilities from this plugin, which is not a good look. It will be good to get this resolved. Thanks.
