Me

If you want the newly patched version:

1) Go to http://www.cyberws.com
2) On the contact page select “WordPress Plugin Suggestion”
3) Simply let me know through that form that you want the latest version.
4) Obviously fill out the form with your email.

I’ll send you an email with the files. You just need to upload the files to your plugin directory/folder and overwrite the old files.

You may need to add support at cyberws dot com to your white list. Or at least check your spam/junk folders for a day or so as my response may end up in that area.

I appreciate all your support community!

I was told I had not modified the code to address XSS. I did indeed if they would actually review the code! In version 3.4 there are tokens generated that are embedded into the forms and links. The server stores a matching key.

I did not use cookies because often a cookie code will be added automatically by a browser to even malicious links. The token even resets on every access of the main plugin page (where no deleting or updating can occur). Thus eliminating an attacker’s ability to just grab a previous key and try to feed that into some malicious call.

A key embedded into the page that rotates is the proper way to deal with XSS attackers but WP rejects this so, whatever. WP has a history of not following proper security themselves (Google/Bing/DuckDuckGo WP’s poor security record). Anyway I can’t say I am surprise they fail to understand this concept.

I don’t have the time to jump through all their unfriendly hoops.

If for some reason WP decides to play better, which I doubt, I will return to this plugin publicly.

Cheers,

Jeremy

You are fine on your version. I agree the issue needed patching but the risk was very minor. There were never any examples of real world attacks.

1) You would need to be logged into your site.
2) Visit another website that say had the delete form on it.
3) You were tricked and clicked the delete button on that site it could send a delete request to your server to delete data.

So you have to be tricked into thinking you are on your website when you are on someone else’s. You also must be logged into WP or the attack fails.

Therefore if you pay attention and don’t get confused that you are on another site to manage your daily quotes no risk. However the latest version will stop that even if you aren’t paying attention. So again low risk but yeah technically a security issue.

Cheers,

Jeremy

Okay I started the patch and have security tokens being generated. The code is in place to check for mismatches between two tokens. This will stop any cross site scripting attacks (which would be so rare).

I now need to add the security token to all links and form submissions. I should have this done by Monday and will then submit to the WordPress team for a review and hopefully reactivation.

I can’t say how long that will take but will post here again when I have submitted the code. I appreciate your patience as life called me to other duties.

Cheers,

Jeremy

Hello. I understand. I will fix this error in a week or so. Unfortunately at this time I am moving countries and just don’t have the time to work on this so for a bit this will have to remain the case. It will be fixed though.

Cheers,

Jeremy

Good deal.

I am not sure what you did but each quote has its own unique area for a template/theme.

Since your setup is not a standard one I would put the necessary theme/template for each quote section into its custom override.

Then add back the default theme into the “Settings” area.

As for changing image that is possible if you make it part of the quote or another quote area even if it doesn’t look like a quote. Review multipart quotes too.

The plugin does not skip days but you could for Sundays (every seventh day) just show a blank. So six entries blank, another six blank, etc.

You will need to change the separator from enter/return to something like %break%

Otherwise the plugin will think each return is a new quote and that will mess up things.