I believe this has been downgraded to a “medium” since an attacker has to be at least a contributor to exploit this. Still, it’s an issue. Looking forward to seeing a fix for this. Shortcodes Ultimate is a great plugin and I’m using it on several sites.
I hope a patch is coming soon. Until then, I think it’s essential to disactivate tthis plugin.
btw – wordfence is still reporting this as critical
on espère tous une mise à jour rapide.
I found that neither 7.4.1 or 7.4.2 displayed the shortcodes properly on my site so I’ve reverted to 7.4.0 until the developer sorts this out.
It’s very disappointing how long this is taking to fix – up until this last week, I’ve been very pleased with the plugin and I was happy to pay for the premium version.
I’m surprised 7.4.2 is still being offered for download as it’s obvious from this forum that it causes problems.
Would also appreciate a fix…
Hi,
Love your plugin and have it installed on about 100 sites. Could you let us know the rough timeline/ETA on a patch release date?
Thanks!
From my understanding of the vulnerability, is that it’s within the magnific-popup v1.1.0 javascript code and not the plugin itself. It appears that the developers of magnific popup fixed this issue last year under v1.2.0.
Rather than remove the plugin, whilst waiting for a patch to fix this. I’m trying to see if simply replacing the js and css files within the vendor folder of the plugin, will resolve this. I’m aware it’s not the correct approach, but seems to be working so far. Still needs a proper testing, but thought it might be of interest.
