We wouldn’t consider this vulnerability as the only users that could do what is suggested in that report are Editor and Administrator level users, both of whom would normally have the unfiltered_html capability, so they are specifically give the ability to use the equivalent of cross-site scripting (XSS). It would probably be more accurate to describe it as a bug.
If you think it is a vulnerability then you should notify the Plugin Directory about the security issue by sending an email to plugins [at] ww.wp.xz.cn.
Dear White Fir Design,
It is actually a real vulnerability because it lets Editors easily execute arbitrary JavaScript and therefore could gain Administrator level. Would you please find the XSS in your nice plugin? It would be great and would give us more peace of mind, as well as removing the Security warnings on the plugin.
All the best,
We are not involved in the development of this plugin.
As we mentioned before, Editor level users normally have the unfiltered_html capability, which allows then “to post HTML markup or even JavaScript code in pages, posts, comments and widgets”. So what you are concerned about, they can already do. The people running the Plugin Directory agree that this isn’t a vulnerability.
You should contact whomever is incorrectly claiming this is a vulnerability, so they can correct their data and that way you won’t see the erroneous warning anymore.
there is a XSS in this plugin and I hope it will be fixed 🙂
Why? Having Editors post HTML and triggering XSS in the website is not the same as having a XSS in Admin UI where no XSS is expected, ever. Cheers
Hello,
plugins should respect DISALLOW_UNFILTERED_HTML constant setting and if it is TRUE, plugin should handle with scripts in HTML content the same way as WP core does.
See https://make.ww.wp.xz.cn/core/2010/12/31/the-published-exploit-for-wordpress-3-0-4-isnt-accurate/
Regards, Jan
-
This reply was modified 9 years, 3 months ago by
janrenn.
-
This reply was modified 9 years, 3 months ago by janrenn.
