Auth XSS Vulnerability, FIX? | ww.wp.xz.cn

gdavide
(@gdavide)

10 years ago

Hi,
That serious vulnerability:

https://0x62626262.wordpress.com/2016/05/01/advanced-custom-fields-auth-xss-vulnerability/

affect the current advanced-custom-field version since ~ 1 month, actually there isn’t any fix availabile.
There’s a planned fix on an acf new version?

Thank you,
Regards

https://ww.wp.xz.cn/plugins/advanced-custom-fields/

Viewing 4 replies - 1 through 4 (of 4 total)

Andy
(@andycrone)

10 years ago

+1. WP Defender plugin is also reporting this as a vulnerability. Any ETA on a fix?

whitefirdesign
(@whitefirdesign)

10 years ago

We wouldn’t consider this a vulnerability, but if it was, it would not be serious vulnerability. The only users that could do what is suggested in that report are Editor and Administrator level users, both of whom would normally have the unfiltered_html capability, so they are specifically give the ability to use the equivalent of cross-site scripting (XSS). It would probably be more accurate to describe that as a bug.

If you think it is a vulnerability then you should notify the Plugin Directory about the security issue by sending an email to plugins [at] ww.wp.xz.cn.

Moderator Ipstenu (Mika Epstein)
(@ipstenu)

🏳️‍🌈 Advisor and Activist

10 years ago

We’re with WhiteFir. It’s not a vulnerability.

Andy
(@andycrone)

10 years ago

Hey guys, thanks for the replies. No worries, will ignore the warnings 🙂

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Auth XSS Vulnerability, FIX?’ is closed to new replies.

Tags

XSS Vulnerability

4 replies
4 participants
Last reply from: Andy
Last activity: 10 years ago
Status: not resolved