Wordfence also flags this plugin as having a “critical” vulnerability.
No rush, I removed your plugin from my website due to your absence.
Plugin Author
wpo-HR
(@wpo-hr)
Sorry, I have no information why and on what basis wordfence or really-simple-ssl mark my plugin as having a vulnerability.
The only valid source I know is patchstack.com. They normally inform plugin-authors if they have information regarding plugin vulnerabilities. When contacting patchstack I learned that in their database there indeed is currently an open issue regarding this plugin. No idea, why I did not receive that information.
However, patchstacks open entry regarding this cross site scripting issue is classified as low priority and ‘mitigation unnecessary’. And to make it clear: no hacker can add harmful code to my plugin using this vulnerability.
My plugin optionally uses fancybox to display images. The vulnerability refers to a situation, where a registered user of a website with granted edit and publish capabilities could publish a page with malicious html code for a fancybox parameter. Im my understanding this should be possible on any website using fancybox (with or without my plugin).
I informed patchstack that in my view this vulnerability is more an issue for fancybox than for my plugin. I also opened an issue for fancybox on github whether it is possible to harden the fancybox parameter handling. But because of the low classification ‘low priority’ and ‘mitigation unnecessary’ I do not expect a timely response.
Conclusions:
On websites where only trusted registered people can publish or where published pages are controlled independantly there is no issue because of this vulnerability.
For a future release I might consider to provide a possibility by settings to optionally disable the fancybox use in my plugin.
Thank you for your investigation and explanation!
