Security Vulnerability

Augusto Simão
(@gustao)

10 months, 3 weeks ago
Hello @takashimatsuyama,

how can I get in touch with you to report a vulnerability? (I wasn’t the one who discovered it — I just want to report that your plugin has been flagged with a known vulnerability.)

Thank you.
- This topic was modified 10 months, 3 weeks ago by Jan Dembowski.
- This topic was modified 10 months, 3 weeks ago by Augusto Simão.

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author Takashi Matsuyama
(@takashimatsuyama)

10 months ago
Hi, @gustao
Sorry for the late reply.

Could you please provide more details about what kind of vulnerability was found?
Also, if possible, could you share the related GitHub Issue or explanation so that I can better understand and address the problem?

Here is the GitHub repository for reference:
https://github.com/takashi-matsuyama/my-favorites

If the information is sensitive or not appropriate to share publicly,
you can also reach me via Slack — I’m available as @Takashi Matsuyama on the Make WordPress Slack:
https://profiles.ww.wp.xz.cn/takashimatsuyama/

Thank you in advance!
- This reply was modified 10 months ago by Takashi Matsuyama.
- This reply was modified 10 months ago by Jan Dembowski.
Thread Starter Augusto Simão
(@gustao)

10 months ago

Hello @takashimatsuyama , thank you for your response!

Unfortunately, I don’t have technical details about the vulnerability. I was only alerted to it by the Patchstack tool after running a scan on the plugins currently active on my site.

You can find the public report here:
https://patchstack.com/database/wordpress/plugin/my-favorites/vulnerability/wordpress-my-favorites-plugin-1-4-1-cross-site-scripting-xss-vulnerability

I hope this helps clarify the situation.
Thanks again for your great work!

Plugin Author Takashi Matsuyama
(@takashimatsuyama)

9 months, 2 weeks ago

Hello @gustao

Thank you for the report and for your concern regarding plugin security.

After reviewing the Patchstack post and the plugin codebase, I believe this may be a case of limited impact or a misunderstanding of the intended context.

The relevant area can only be accessed by users with administrator capabilities.
According to the WordPress Security White Paper,

“WordPress assumes that site administrators are trusted users.”

Based on this principle, the functionality in question is unlikely to pose a practical security concern.

In other words, WordPress does not consider it a vulnerability if a plugin relies on trusted administrators to input or modify PHP functions, since such users already have full control over the site and its code.

That said, I do appreciate the heads-up and will take a closer look when time permits to ensure the plugin doesn’t trigger automated tools like Patchstack unnecessarily.

If any improvements can be made to harden the plugin further — even in admin-only contexts — I’ll certainly consider implementing them in a future update.

Thanks again for reaching out and helping improve the ecosystem.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security Vulnerability’ is closed to new replies.