Vulnerability reported

dalbert
(@dalbert)

1 year, 1 month ago

Solid Security recently started reporting the following vulnerability:
WordPress Arconix FAQ plugin <= 1.9.5 – Reflected Cross Site Scripting (XSS) vulnerability
I love this FAQ tool, but the vulnerability appears serious, are there plans to fix this?

Viewing 6 replies - 1 through 6 (of 6 total)

sussexaa
(@sussexaa)

1 year, 1 month ago

Reported by Patchstack and Wordfence also.

https://patchstack.com/database/wordpress/plugin/arconix-faq/vulnerability/wordpress-arconix-faq-plugin-1-9-5-reflected-cross-site-scripting-xss-vulnerability

sussexaa
(@sussexaa)

1 year, 1 month ago

Any estimate of when a fix will be available?

acwporg
(@acwporg)

1 year, 1 month ago

time to delete I think.. It was reported back in November and they’ve done nothing.. And not even a courtesy to reply here..

sussexaa
(@sussexaa)

1 year, 1 month ago

Yesterday I got an email reply to the ticket I submitted on their support site.

I am David from Tyche Softwares, the authors of the Arconix FAQ plugin, which Wordfence and Patchstack marked as vulnerable to XSS attacks. This issue was brought to our attention last week, and we have already started taking effective steps to patch the security issue.

We will roll out an update as soon as this is fixed and rigorously tested to ensure that it doesn’t break anything else.

We also apologize for the panic and trouble this must have caused on your end.

https://tychesoftwares.freshdesk.com/support/tickets/64854

acwporg
(@acwporg)

1 year, 1 month ago

And yet it was logged here 16 days ago and they didn’t know and surely the researcher that found it in November told them too…

Thread Starter dalbert
(@dalbert)

1 year, 1 month ago

Thank you for sharing the update @sussexaa That’s good news!
I guess, for their future, reporting on their support site is the right strategy.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Vulnerability reported’ is closed to new replies.