Security Risk?

Resolved edithmayerhofer
(@edithmayerhofer)

11 months, 4 weeks ago

Hello,

Ionos (and also other institutions / providers) are stating, that there is a security risk with your plugin:

wp-content/plugins/updraftplus/includes/updraft-admin-common-1-23-10.min.js

Reflected cross-site scripting via the showdata and initiate_restore parameters

Due to insufficient input sanitization and output escaping, it is possible for unauthenticated attackers to inject arbitrary web scripts into pages. These scripts can execute if the attacker successfully tricks an admin user into performing an action, such as clicking a link.

Can you tell us something about?

Cheers.

The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)

nrobertsudp
(@nrobertsudp)

11 months, 4 weeks ago

Hi there,

Thank you for bringing this to our attention. I have notified the developers of this matter.
Can you please provide a reference link for the Ionos source which cites the security risk?

Could you also please provide details related to other institutions / providers you mention?
The more information we have from your sources the better we’ll be able to address issues.

Best regards,

Nick
Thread Starter edithmayerhofer
(@edithmayerhofer)

11 months, 4 weeks ago
Hi Nick,

Thanks for your reply.

Here are some additional links I found. However, after looking more closely at the details, it seems the version I have installed (1.25.6) shouldn’t be affected by this issue anymore, as it has already been patched.

To be honest, I’m not entirely sure at this point whether it might be a false positive from Ionos. If that’s the case, I apologize for not verifying all the details earlier.
Thanks again,
Edith
nrobertsudp
(@nrobertsudp)

11 months, 4 weeks ago

Hi there,

Judging by the script name ‘updraft-admin-common-1-23-10.min.js’ this is an old / solved issue.
There was an issue as described highlighted a couple of years ago, it was fixed by us back then.

If you are aware of any current issues please provide us with the details and we will investigate,

Best regards,

Nick

nrobertsudp
(@nrobertsudp)

11 months, 4 weeks ago

Hi Edith,

Thank you very much for the additional information.

After reading through the links I can confirm you’re correct, the issue was patched.
If Ionos is flagging an issue it does seem most likely it’s a false positive being raised.

It’s absolutely no problem highlighting this though, we’re grateful for alerts like this.
We would rather have the issue raised and confirm it’s now resolved than take risks.

If you do have any further difficulties please let us know and we’ll be happy to help.

Best regards,

Nick

Thread Starter edithmayerhofer
(@edithmayerhofer)

11 months, 4 weeks ago

Thank you, Nick!

nrobertsudp
(@nrobertsudp)

11 months, 4 weeks ago

Hi Edith,

Thank you very much, I’m happy to have helped!

Best regards,

Nick

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Security Risk?’ is closed to new replies.

Tags