Title: Security Vulnerability reported
Last modified: May 6, 2023

---

# Security Vulnerability reported

 *  Resolved [grl570810](https://wordpress.org/support/users/grl570810/)
 * (@grl570810)
 * [3 years, 1 month ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/)
 * Hi Shra,
   Wordfence is flagging version 1.5.8 or older as vulnerable. Please confirm
   that you are aware of this and plan a fix ASAP.TIA,Graham

Viewing 15 replies - 1 through 15 (of 15 total)

 *  Plugin Author [shra](https://wordpress.org/support/users/shra/)
 * (@shra)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16780366)
 * Can you please share more info about the issue. As far as i know Wordfence doesn’t
   provide info about 3rd party plugins. If you can share screenshots or steps to
   reproduce what ever i need to check, you are welcome.
 *  Thread Starter [grl570810](https://wordpress.org/support/users/grl570810/)
 * (@grl570810)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16781445)
 * Hi [@shra](https://wordpress.org/support/users/shra/) 
   [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/inactive-user-deleter/inactive-user-deleter-158-cross-site-request-forgery-via-multiple-functions](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/inactive-user-deleter/inactive-user-deleter-158-cross-site-request-forgery-via-multiple-functions)
   If you need more details I suggest you reach out to the Wordfence support team.
   Regards,Graham
 *  Anonymous User 20889438
 * (@anonymized-20889438)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16782763)
 * [@shra](https://wordpress.org/support/users/shra/),
 * This case isn’t only about the multiple CSRF issues, but about the Persistent
   XSS as well (`confirmPeriod`).
 *  Plugin Author [shra](https://wordpress.org/support/users/shra/)
 * (@shra)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16782802)
 * Thanks, guys, for a quick response! I will check how to fix these issues.
 *  Plugin Author [shra](https://wordpress.org/support/users/shra/)
 * (@shra)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16783046)
 * I’ve uploaded new version (1.59) with wp_nonce usage for all forms, hope you 
   are happy now guys! 🙂
 *  Anonymous User 20889438
 * (@anonymized-20889438)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16783452)
 * [@shra](https://wordpress.org/support/users/shra/), nice one!
 * But you forgot about the Persistent XSS in the `confirmPeriod` parameter.
 *  Plugin Author [shra](https://wordpress.org/support/users/shra/)
 * (@shra)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16783479)
 * Do you think the next code is not enough?
 * $confirmPeriod = $_POST[‘confirmPeriod’] <= 0 ? 1 : $_POST[‘confirmPeriod’] +
   0;
 * In any case it will be converted to a number.
 *  [Hellnik](https://wordpress.org/support/users/hellnik/)
 * (@hellnik)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16785486)
 * PHP 8.0 Warning: Undefined array key “confirmPeriod” in
   inactive-user-deleter\
   inactive-user-deleter.php on line 363v1.59
 * The error occurs when deleting a user(without email notify).
 *  Plugin Author [shra](https://wordpress.org/support/users/shra/)
 * (@shra)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16785701)
 * Oh my god, guys, you are killing me 🙂 Ok, catch the next version 1.60!
 *  [Hellnik](https://wordpress.org/support/users/hellnik/)
 * (@hellnik)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16787210)
 * Thank you, shra) The plugin is interesting for me.
 *  Anonymous User 20889438
 * (@anonymized-20889438)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16788921)
 * [@shra](https://wordpress.org/support/users/shra/), still exploitable:
 * ![](https://i0.wp.com/i.imgur.com/9rQ2TiO.png?ssl=1)
 * Tips: sanitize input, escape output and don’t try to use HTML tag attributes 
   for any kind of limitations, i.e.: `maxlength`.
 *  Plugin Author [shra](https://wordpress.org/support/users/shra/)
 * (@shra)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16788997)
 * In last update i rewrite it as next:
 * $confirmPeriod = (!isset($_POST[‘confirmPeriod’]) || $_POST[‘confirmPeriod’] 
   <= 0) ? 1 : intval($_POST[‘confirmPeriod’]);
 * so as you see the value is filtered by intval func. You say “still exploitable”,
   could you share the exploit example, please?
 *  Anonymous User 20889438
 * (@anonymized-20889438)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16789021)
 * [@shra](https://wordpress.org/support/users/shra/), here we go:
 *     ```wp-block-code
       POST /wp-admin/users.php?page=inactive-user-deleter%2Finactive-user-deleter.php HTTP/2
       Host: [redacted]
       Cookie: [cookies]
       User-Agent: Mozilla/5.0
       Content-Type: application/x-www-form-urlencoded
       Content-Length: 291
   
       op=misc&last-inform=0&_wpnonce=[redacted]&_wp_http_referer=[redacted]&informME=1&informPeriod=7&informUsersNumber=50&informUsers=1&confirmPeriod=7%22+onmouseover%3Dalert%28%29%3B%2F%2F+v%3D%22&confirmLetter=X&sbm=Save
       ```
   
 *  Plugin Author [shra](https://wordpress.org/support/users/shra/)
 * (@shra)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/#post-16789154)
 * Thank you, @fearzzzz! I found out what you meant. I hope now it is fixed. New
   version is uploaded (1.61)
 *  Anonymous User 20889438
 * (@anonymized-20889438)
 * [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/page/2/#post-16789178)
 * [@shra](https://wordpress.org/support/users/shra/), good job! 🙂

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘Security Vulnerability reported’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/inactive-user-deleter.svg)
 * [Inactive User Deleter](https://wordpress.org/plugins/inactive-user-deleter/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/inactive-user-deleter/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/inactive-user-deleter/)
 * [Active Topics](https://wordpress.org/support/plugin/inactive-user-deleter/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/inactive-user-deleter/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/inactive-user-deleter/reviews/)

 * 16 replies
 * 4 participants
 * Last reply from: Anonymous User 20889438
 * Last activity: [3 years ago](https://wordpress.org/support/topic/security-vulnerability-reported-2/page/2/#post-16789178)
 * Status: resolved