Security Vulnerability

  • Resolved cultivatestillness

    (@cultivatestillness)


    3 months ago

    A report from my Jetpack Protect says your plugin is a security risk. I see it is a fresh build at 1.2 so maybe the vulnerability was just introduced with the new version. Here is the report:

    “What is the problem?

    The installed version of Coming Soon and Maintenance by Colorlib (1.2.0) has a known security vulnerability.”

    Unfortunately it doesn’t elaborate. Google search hasn’t actually given me a bad report for the current version, and the only report showing from ww.wp.xz.cn says this version actually ADDRESSES security issues, so I don’t know what to make of it.

    Any patch coming for this, or is this a false positive or something?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Silkalns

    (@silkalns)

    3 months ago

    Both vulnerabilities are fixed in the current 1.2.0 code. I did receive the same message on Jetpack for our test site but that’s a false positive. I will notify Jetpack to fix this on theri side but the plugin is fixed and is safe.

    CVE-2022-1945 — Stored XSS via Google Analytics (<= 1.0.98)

    What it was: The GA tracking ID setting wasn’t sanitized, allowing admins to inject JavaScript (relevant on multisite where unfiltered_html is disallowed).

    How it’s fixed (defense in depth):

    1. Sanitization on save — class-ccsm-customizer.php:593-595 — ccsm_sanitize_google_analytics() runs esc_html() before storing
    2. Output escaping — colorlib-template.php:17-23 — esc_html() + quote stripping on both the <script src> and gtag('config') output
    3. Migration notice — main plugin file:920-927 — detects the old vulnerable setting key and prompts admins to update

    CVE-2024-1473 — Information Exposure via REST API (<= 1.0.99)

    What it was: The plugin blocked page access but didn’t block the REST API, so unauthenticated users could read posts/pages via /wp-json/wp/v2/posts while the site was supposedly in maintenance mode.

    How it’s fixed:

    colorlib-coming-soon-and-maintenance-mode.php:65 hooks rest_pre_dispatch, and the filter at lines 153-175 returns a WP_Error with HTTP 403 for all unauthenticated REST requests when coming soon mode is active. Logged-in users pass through normally.

    Thread Starter cultivatestillness

    (@cultivatestillness)

    3 months ago

    Thank you for getting back to me. Glad it is a false positive. I really like the plugin.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.