Can you provide specifics? File, reference line #, etc? The link above just reintegrates what you have stated.
This is a false positive. You can also help prevent this by installing a CSP in your .htaccess file.
https://content-security-policy.com/examples/htaccess/
https://web.dev/articles/csp
I have had several audits of the plugin code and there is no CSRF vulnerability found. Can you please send me specific details from your host to let me know where their concern is? What line in the code, what file. What vulnerabilities they have found and their recommendations on fixing it. Thanks!
Thread Starter
cmarcc
(@cmarcc)
Hi,
The CVE record is here but it is not very specific: https://www.cve.org/CVERecord?id=CVE-2023-45269
The contributor who discovered the vulnerability (if confirmed) is listed in the credits section, not sure if it’s possible to contact him directly, or Patchstack?
https://patchstack.com/database/vulnerability/cds-simple-seo/wordpress-simple-seo-plugin-2-0-23-cross-site-request-forgery-csrf-vulnerability
The CVE record is blank for me, it states, “CVE-YYYY-NNNN must be 4 digits or greater”. The patchstack.com is a false positive unless more detailed information can be supplied. I can assure you I have had several audits and there are no vulnerabilities. All code is escaped, no injects are possible, and NOUNCE security is in place so there is no CSRF.
I’ll be more than happy to adjust, add, or fix but I can’t work with vague none specific informations.
Thanks!
Regards,
David M. Cole, M.Sc. CS, BDes
I confirm the latest update (as of November 2, 2023) has fixed the security vulnerability on my site.
Thank you!
