Title: Plugin Vulnerability – Reflected Cross-Site Scripting Last modified: July 29, 2023 --- # Plugin Vulnerability – Reflected Cross-Site Scripting * Resolved [kspd1389](https://wordpress.org/support/users/kspd1389/) * (@kspd1389) * [2 years, 10 months ago](https://wordpress.org/support/topic/plugin-vulnerability-reflected-cross-site-scripting/) * Wordfence is sending email alerts for websites that I manage that are using this plugin (Anywhere Elementor) due to a vulnerability for Reflected Cross-Site Scripting. Here is the report link they provided in their email: * [https://www.wordfence.com/threat-intel/vulnerabilities/detail/freemius-sdk-259-reflected-cross-site-scripting-via-fs-request-get](https://www.wordfence.com/threat-intel/vulnerabilities/detail/freemius-sdk-259-reflected-cross-site-scripting-via-fs-request-get) * I am using this plugin on a lot of client websites but noticed there has not been a patch for this yet. Are there any updates or more information we can expect in regard to this? Thank you. Viewing 5 replies - 1 through 5 (of 5 total) * Thread Starter [kspd1389](https://wordpress.org/support/users/kspd1389/) * (@kspd1389) * [2 years, 10 months ago](https://wordpress.org/support/topic/plugin-vulnerability-reflected-cross-site-scripting/#post-16932194) * Here is the direct link to the Anywhere Elementor page’s results on the Wordfence site too, the latest issue is under the vulnerabilities area: [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/anywhere-elementor](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/anywhere-elementor) * [Anand Upadhyay](https://wordpress.org/support/users/anandau14/) * (@anandau14) * [2 years, 10 months ago](https://wordpress.org/support/topic/plugin-vulnerability-reflected-cross-site-scripting/#post-16935617) * Hi [@kspd1389](https://wordpress.org/support/users/kspd1389/) * This is a false positive report. Our plugin is not affected by the above-mentioned vulnerability. We have already reported to Wordfence regarding the issue. They have acknowledged it and will be fixing it from their end. * Thread Starter [kspd1389](https://wordpress.org/support/users/kspd1389/) * (@kspd1389) * [2 years, 10 months ago](https://wordpress.org/support/topic/plugin-vulnerability-reflected-cross-site-scripting/#post-16936832) * Hi [@anandau14](https://wordpress.org/support/users/anandau14/) , * Thank you for responding and the clarification. The Wordfence network still appears to be identifying this as a vulnerability as I’ve received several more alerts today even since your reply but I am hoping they get their system updated soon given that it is a false positive report. I am going to mark this as resolved for now. Thanks again. * Thread Starter [kspd1389](https://wordpress.org/support/users/kspd1389/) * (@kspd1389) * [2 years, 10 months ago](https://wordpress.org/support/topic/plugin-vulnerability-reflected-cross-site-scripting/#post-16939822) * Hi [@anandau14](https://wordpress.org/support/users/anandau14/), * I just wanted to let you know that Wordfence is still sending out these emails alerts, I’ve received multiple email alerts now for each website that we have Anywhere Elementor installed on. Some websites have generated 3 alerts for this particular issue. I wanted to give a heads up in case Wordfence gave you an update on when they are planning to update things on their end for this? Thank you. * [Anand Upadhyay](https://wordpress.org/support/users/anandau14/) * (@anandau14) * [2 years, 10 months ago](https://wordpress.org/support/topic/plugin-vulnerability-reflected-cross-site-scripting/#post-16940191) * Hi [@kspd1389](https://wordpress.org/support/users/kspd1389/) * This is the response I got from Wordfence * > Thank you for bringing this to our attention. We will get this fixed as soon > as possible.  * I am not sure about the process they follow in such cases. We have already released an update yesterday. I think updating to 1.2.9 can fix those alerts. We have removed a blank folder of freemius SDK which I think is the reason why they marked our plugin as affected by the recent freemius vulnerability. We removed the Freemius integration from our free plugin around 3 months back but a blank freemius folder remains there by mistake. Which was of course not harming in any way, but it seems Wordfence got confused by that. Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Plugin Vulnerability – Reflected Cross-Site Scripting’ is closed to new replies. * ![](https://ps.w.org/anywhere-elementor/assets/icon-128x128.png?rev=3417069) * [Dynific Addons for Elementor (formerly AnyWhere Elementor)](https://wordpress.org/plugins/anywhere-elementor/) * [Support Threads](https://wordpress.org/support/plugin/anywhere-elementor/) * [Active Topics](https://wordpress.org/support/plugin/anywhere-elementor/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/anywhere-elementor/unresolved/) * [Reviews](https://wordpress.org/support/plugin/anywhere-elementor/reviews/) * 9 replies * 2 participants * Last reply from: [Anand Upadhyay](https://wordpress.org/support/users/anandau14/) * Last activity: [2 years, 10 months ago](https://wordpress.org/support/topic/plugin-vulnerability-reflected-cross-site-scripting/#post-16940191) * Status: resolved