We’ve patched to 3.4.5 and thought we cleaned up everything after removal of malware and deletion of an admin level user. Today new entires showed up in the reviews database as if the XSS vulnerability was not fixed or additional backdoors still exist. We’ve completely disabled the plugin at this point.
Do we know how long this vulnerability was publicly known prior to the 3.4.3 fix being available on 8/18. Was this a zero-day for any period of time or was this only made public with 3.4.3? Trying to figure out if it’s safe to go back to a restore point immediately prior to being hit or 8/17.
Ditto on not seeing the inline image editor in Chrome – running v39.0.2171.95 (64-bit) on OS X Mavericks.
Works in Firefox and Safari.
