It looks like there’s an error in the information about this issue. The upper version limit points to a version that doesn’t exist.
https://www.wordfence.com/threat-intel/vulnerabilities/detail/freemius-sdk-259-reflected-cross-site-scripting-via-fs-request-get?q=eu+vat
I’ve sent an email to Wordfence to ask to check this, because in the latest version the issue should have been fixed according to the changelog.
Plugin Author
Diego
(@daigo75)
The EU VAT Assistant doesn’t have a security vulnerability per se. The report refers to the Freemius library, which this plugin bundles together with the AFC framework, but it doesn’t load, thus removing the risk.
In addition to that, the vulnerability was fixed in the Freemius library 2.5.10, which is already part of the EU VAT Assistant since version 2.1.2.230718. Based on the report provided by patchstack, that should be sufficient to fix the issue.
Note
The EU VAT Assistant reached its end of life in June 2022 and we can no longer provide support for it, nor guarantee updates. We are keeping the plugin available for users who still use it, and might need to access its code, but we would recommend to contact your developers if you need assistance tweaking or troubleshooting it.
Wordfence as just let me know that the upper version number has been changed, so the latest version won’t me reported as vulnerable anymore.
@daigo75, The issue was caused by a tagged version with the higher version number, that probably was never really released. You might want to consider to remove that tag. https://plugins.trac.ww.wp.xz.cn/browser/woocommerce-eu-vat-assistant/tags/2.4.6.230518
