Cross Site Scripting (XSS) vulnerability

Resolved Andyt8
(@andyt8)

8 months, 2 weeks ago

Hello,

I received information from a security plugin that the Statify Widget plugin contains a vulnerability that has not yet been fixed. Will this be fixed in the near future, or should I disable the plugin or look for an alternative, if available?

WordPress Statify Widget plugin <= 1.4.6 – Cross Site Scripting (XSS) vulnerability

best regards, Andyt

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Finn Dohrn
(@bitnulleins)

8 months, 2 weeks ago

Hello @andyt8 ,

Of course I want to remove XSS vulnerabilities. I actively maintain the plugin. Can you send me a note or the excerpt where this vulnerability is supposed to be or was noticed?

As far as I know, there is no alternative widget with the same functionality for Statify.

Thank you very much for reporting this,
Finn

Thread Starter Andyt8
(@andyt8)

8 months, 2 weeks ago

Hello Finn,

Thank you for your fast response. I don’t know the original source. My security plugin read several sources. However, I found the following:

-) https://wpscan.com/vulnerability/c9fe39c5-ec0f-490b-8ceb-45fd47b8f772/

-) https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/statify-widget/statify-widget-146-authenticated-contributor-stored-cross-site-scripting

Hopefully that is a help for you?

best regards, Andyt

Thread Starter Andyt8
(@andyt8)

8 months, 1 week ago

…by the way, I wonder, because no one did inform you – the developer… – really strange process. Therefore I thought, the active support was stopped, because no reaction after several days / one week and so on.

Plugin Author Finn Dohrn
(@bitnulleins)

8 months, 1 week ago

Hey @andyt8

Yes, that’s strange and a unfortunate. But it’s nice that you thought of it. 🙂

I have now fixed many potential XSS attack points. I wanted to validate everything again before releasing a new version. Just wanted to let you know that I’m working on it.

Cheers,
Finn

Plugin Author Finn Dohrn
(@bitnulleins)

8 months ago

Hey @andyt8

Thanks again for submitting the XSS issues. I published version 1.4.7 and fix some XSS vulnerabilities by adding more escaping functions in print statements. So I hope the issue from Patchstack etc. will be closing. 🙂

Cheers!

Thread Starter Andyt8
(@andyt8)

7 months, 4 weeks ago

Hello Finn,

I’m able to confirm, the issue was closed, because the WordPress Security plugin don’t report something about the plugin. Thanks for the help.

best regards

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Cross Site Scripting (XSS) vulnerability’ is closed to new replies.