[false positive] authentificated stored xss

  • Resolved amicalmant

    (@amicalmant)


    5 years, 5 months ago

    My security plug-in just warned me of a serious security breach in the current version of Events Manager. Since I don’t currently use it due to the pandemic, I have backed up everything (plugin files, pages and database tables) and uninstalled it.

    Does anyone have information on this issue? Looks like it is not fresh news (google search?q=Events+Manager+plugin+cross-site+scripting), so should we be worried? Is this threat real? If so, is there a fix coming soon?

    UPDATE: I checked the dev blog and it seems that there was already a fix for a XSS issue, recently*, so I wonder if this is a new issue or just a #fakenews…

    * https://wp-events-plugin.com/blog/2020/07/06/events-manager-5-9-8/

    • This topic was modified 5 years, 5 months ago by amicalmant. Reason: Added details (UPDATE section)
    • This topic was modified 5 years, 5 months ago by Yui. Reason: link removed, topic renamed
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Marcus (aka @msykes)

    (@netweblogic)

    5 years, 5 months ago

    Hello,

    Firstly, thanks for reporting this, although I’d prefer generally security issues get reported privately to us directly.

    However, I’d like to address this publicly anyway to clarify the confusion;

    Thankfully, in this case, it’s a false positive and we’ve covered this issue with the WordPress Plugins security team at the end of August this year.

    For some reason, this has made it through to this service, which has now propagated the false-positive to iThemes and (from what I’m told) JetPack.

    https://wpscan.com/vulnerability/10483

    We’re in contact with WPScan to get this resolved. We take security very seriously and will always respond with utmost urgency to any known security report.

    Plugin Author Marcus (aka @msykes)

    (@netweblogic)

    5 years, 5 months ago

    Hello, just to let you know that this is a false positive and we’re aware of the situation. I’ve commented on this thread with a more complete explanation but it’s awaiting moderation (most likely due to the links provided).

    Plugin Author Marcus (aka @msykes)

    (@netweblogic)

    5 years, 5 months ago

    Hi, well, things moved fast thankfully with WPScan. They’ve already removed the report on their site, hopefully it’ll propagate fast to the corresponding security plugins:

    I’ve written a full report on our blog: http://em.cm/e

    Moderator Yui

    (@fierevere)

    永子

    5 years, 5 months ago

    @amicalmant
    @netweblogic

    Please do not openly discuss vulnerabilities on forum,
    You can communicate privately (email/ticket system) or use guidelines:

    https://developer.ww.wp.xz.cn/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

    Since the report is a false positive, i will not delete this thread but will rename and close it.

    • This reply was modified 5 years, 5 months ago by Yui.
    • This reply was modified 5 years, 5 months ago by Yui.
Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘[false positive] authentificated stored xss’ is closed to new replies.