Title: Security issue Last modified: April 8, 2025 --- # Security issue * Resolved [dooza](https://wordpress.org/support/users/dooza/) * (@dooza) * [1 year, 2 months ago](https://wordpress.org/support/topic/security-issue-175/) * Hi there, any plans to update the plugin following this security issue that has been found: [https://patchstack.com/database/wordpress/plugin/advanced-backgrounds/vulnerability/wordpress-advanced-wordpress-backgrounds-plugin-1-12-4-content-injection-vulnerability?_a_id=431](https://patchstack.com/database/wordpress/plugin/advanced-backgrounds/vulnerability/wordpress-advanced-wordpress-backgrounds-plugin-1-12-4-content-injection-vulnerability?_a_id=431) Viewing 12 replies - 1 through 12 (of 12 total) * [Vishy Moghan](https://wordpress.org/support/users/vishy-moghan/) * (@vishy-moghan) * [1 year, 2 months ago](https://wordpress.org/support/topic/security-issue-175/#post-18409326) * Good question I have jst had the same notification from Wordfence!! any news? * [cantbutron](https://wordpress.org/support/users/cantbutron/) * (@cantbutron) * [1 year, 2 months ago](https://wordpress.org/support/topic/security-issue-175/#post-18410240) * Same notification in Wordfence and in hosting providers’ own security systems( Ionos, Godaddy…). * Plugin Author [nK](https://wordpress.org/support/users/nko/) * (@nko) * [1 year, 2 months ago](https://wordpress.org/support/topic/security-issue-175/#post-18410443) * Hi everyone, * I’m not sure why this XSS vulnerability was published. Back in January, Darius from Patchstack contacted me with XSS details, and I tried to reproduce it locally. I found that there is no issue with our plugin and informed Darius about this. I never received any reply or additional information from Darius or anyone else regarding the XSS issue. * This was my reply: * > I may be missing something, but your example appears invalid. > In your video, you’re breaking the block output, and our block code doesn’t > execute at all. Instead, you’re displaying custom HTML. This approach allows > outputting any content using any block name. > From 2:24 in your video, the output is no longer from our block – it’s just > a simple string: > — There was a screenshot from the video, but I’m not sure it makes sense right > now. — > I can replicate this behavior in the editor with various tags, but this doesn’t > indicate a vulnerability in our block. You can see an example of how our block > should function and how your “injection” disrupts it here: [https://shot.nkdev.info/94YjltmsRdp11RrsMP7Z](https://shot.nkdev.info/94YjltmsRdp11RrsMP7Z). > This example also demonstrates how renaming the block produces the same output. > If I’m wrong, please show me where. * I’ve contacted Darius again and am waiting for his reply. Perhaps someone else can help resolve this issue. I’m still unsure whether this report is valid since I cannot reproduce it. If it is valid, we will definitely fix it. * Regards, Nikita. * Plugin Author [nK](https://wordpress.org/support/users/nko/) * (@nko) * [1 year, 1 month ago](https://wordpress.org/support/topic/security-issue-175/#post-18419001) * Darius replied to me and rejected this security report as it appears invalid 👍 * [cantbutron](https://wordpress.org/support/users/cantbutron/) * (@cantbutron) * [1 year, 1 month ago](https://wordpress.org/support/topic/security-issue-175/#post-18448632) * WPScan continues to report a security issue with the plugin due to the possibility of content injection. [https://wpscan.com/plugin/advanced-backgrounds/](https://wpscan.com/plugin/advanced-backgrounds/) * [soemarketing](https://wordpress.org/support/users/soemarketing/) * (@soemarketing) * [1 year ago](https://wordpress.org/support/topic/security-issue-175/#post-18463588) * Has there been any update on this? Wordfence link is broken. WPScan CVE-ID was rejected. I have a free account with Wordfence so news is always delayed 30 days. * [Hozefa Saleh](https://wordpress.org/support/users/hozefasmile/) * (@hozefasmile) * [1 year ago](https://wordpress.org/support/topic/security-issue-175/#post-18488531) * Hi, The wpscan also showing this vulnarability (content injection) [https://wpscan.com/plugin/advanced-backgrounds/](https://wpscan.com/plugin/advanced-backgrounds/) * [dportela](https://wordpress.org/support/users/dportela/) * (@dportela) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-issue-175/#post-18585446) * Wordfence still flags it as vulnerable, with a broken link. * Plugin Author [nK](https://wordpress.org/support/users/nko/) * (@nko) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-issue-175/#post-18585572) * [@dportela](https://wordpress.org/support/users/dportela/) WPScan ignores our emails, so we’re not sure how to fix this since the issue was never on our side. * [dportela](https://wordpress.org/support/users/dportela/) * (@dportela) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-issue-175/#post-18585641) * Thanks. I posted to the Wordfence support forum about it, but the post was held for moderation. Hopefully it will be published and that will prompt an update. * [dportela](https://wordpress.org/support/users/dportela/) * (@dportela) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-issue-175/#post-18589284) * The [Wordfence support thread](https://wordpress.org/support/topic/advanced-wordpress-backgrounds-1-12-7-false-positive-broken-wordfence-link/) has been posted and answered. And my latest scan just now, with the plugin enabled, came through clean. Success (at least with Wordfence)! I’ve sent a message to WPScan through the contact form on their site, as they no longer support non- enterprise customers through the WordPress.org support forums. I installed their plugin to run a check and it’s still flagging the false positive. Hopefully they will see the message and make an update. - This reply was modified 10 months, 1 week ago by [dportela](https://wordpress.org/support/users/dportela/). Reason: Adding WPScan scan and contact * Plugin Author [nK](https://wordpress.org/support/users/nko/) * (@nko) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-issue-175/#post-18589571) * [@dportela](https://wordpress.org/support/users/dportela/) thank you 🎉 We contacted WPScan twice but received no response. Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Security issue’ is closed to new replies. * ![](https://ps.w.org/advanced-backgrounds/assets/icon-256x256.png?rev=2386996) * [Advanced WordPress Backgrounds](https://wordpress.org/plugins/advanced-backgrounds/) * [Support Threads](https://wordpress.org/support/plugin/advanced-backgrounds/) * [Active Topics](https://wordpress.org/support/plugin/advanced-backgrounds/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/advanced-backgrounds/unresolved/) * [Reviews](https://wordpress.org/support/plugin/advanced-backgrounds/reviews/) ## Tags * [security issues](https://wordpress.org/support/topic-tag/security-issues/) * [Updates](https://wordpress.org/support/topic-tag/updates/) * [WordPress](https://wordpress.org/support/topic-tag/wordpress/) * 13 replies * 7 participants * Last reply from: [nK](https://wordpress.org/support/users/nko/) * Last activity: [10 months, 1 week ago](https://wordpress.org/support/topic/security-issue-175/#post-18589571) * Status: resolved