Support » Plugin: The Events Calendar » XSS Vulnerability in jQuery ui dialog

  • Resolved gama6889

    (@gama6889)


    hello

    I’m using The Events Calendar plugin in my sites. recently we had a security test in them and it reported a high alert in jQuery ui dialog library. this XSS vulnerability is solved in v1.10.0 but The Events Calendar plugin is using v1.9.2.

    how can i upgrade jQuery ui dialog to v1.10.0 in the plugin?

    XSS vulnerability report

    • This topic was modified 1 year, 10 months ago by  gama6889.
    • This topic was modified 1 year, 10 months ago by  gama6889.
    • This topic was modified 1 year, 10 months ago by  gama6889.
    • This topic was modified 1 year, 10 months ago by  gama6889.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Barry

    (@barryhughes-1)

    Hi @gama6889,

    Thanks for flagging this.

    The Javascript in question isn’t actually used: the jQuery UI Dialog code that The Events Calendar and its related plugins really use is the same version as bundled with WordPress itself.

    With that said, we shouldn’t really be shipping unused/out of date vendor code (even if, as here, it isn’t used) so we’ll make a point of removing it.

    Thanks again for the report, we appreciate you taking the time to post this 🙂

    hi

    Thanks for your fast response.
    I think that the removing is the best solution to prevent the security tests from reporting the XSS Vulnerability in your plugin.

    please edit jQuery UI CSS Framework version in jquery-ui-1.8.23.custom.css file.

    Thanks again Barry

    • This reply was modified 1 year, 10 months ago by  gama6889.
    • This reply was modified 1 year, 10 months ago by  gama6889.
    • This reply was modified 1 year, 10 months ago by  gama6889.
    • This reply was modified 1 year, 10 months ago by  gama6889.
    • This reply was modified 1 year, 10 months ago by  gama6889.
    Plugin Contributor nicosantos

    (@nicosantos)

    Hey,

    Just wanted to share with you that a new maintenance release (for the Week of 12th June 2017) is out, including a fix for this issue 🙂

    Find out more about this release → https://theeventscalendar.com/maintenance-release-for-the-week-of-12th-june-2017/

    Please update the plugins and let us know if the fix works for your site,
    Best,
    Nico

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘XSS Vulnerability in jQuery ui dialog’ is closed to new replies.