XSS vulnerability | WordPress.org

Resolved freegenie
(@freegenie)

6 years, 2 months ago

There’s a security issue with the way you populate the form action using the current URL, $_SERVER[‘REQUEST_URI’] needs to be escaped, otherwise an attacker could forge a URL to inject <script> content in the page.

Please see a fix here: https://github.com/exelab/genesis-enews-extended/commit/39c9952724d4e7aa9f99f13cb11c7bd81dfd537d

Viewing 3 replies - 1 through 3 (of 3 total)

Lee Blue
(@reality66)

6 years, 2 months ago

I hope your fix gets added to the plugin. It has not been updated in a year. I hope the plugin is still maintained because it’s really nice.

Plugin Author Brandon Kraft
(@kraftbj)

Code Wrangler

6 years, 2 months ago

Happy to make that change. I didn’t see the PR come through or missed it along the way.

@reality66 – Yup, I’m still around. The plugin hasn’t required much work to maintain, though I’m not actively working on anything new for it either.

I can get it patched up and shipped out this week.

Lee Blue
(@reality66)

6 years, 2 months ago

That’s awesome! Love the plugin and it’s worked great for me for a really long time – including right now. It’s great to have a plugin that doesn’t need much updating, so you might want to just bump the supported WordPress version up every now and then. There’s a new policy in place where plugins with a supported WP version behind by more than three major releases may be flagged as not being updated. https://make.wordpress.org/plugins/2018/02/13/not-updated-in-warning/

Thanks for keeping things going =)

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘XSS vulnerability’ is closed to new replies.

Tags

xss

In: Plugins
3 replies
3 participants
Last reply from: Lee Blue
Last activity: 6 years, 2 months ago
Status: resolved