I’ve submitted a pull request to the author on their github about this. It includes a fix for the vulnerability. If you want, you can go to my fork of it linked to the pull request where I have the corrected code. You just need to download and replace the cptbc-frontend.php file found here:
https://github.com/aedelgod/CPT-Bootstrap-Carousel/tree/master/src
Here is a link to my pull request on the plugin author’s repo:
https://github.com/ewels/CPT-Bootstrap-Carousel/pull/100
and here is the commit showing the changes in code between the two that addresses the vulnerability if you are interested:
https://github.com/ewels/CPT-Bootstrap-Carousel/pull/100/commits/0eb5af3f26a15a61571b4dbb765bb358fb7326c1
Thank you! Apologies for the slow response, this had the perfect storm of being Christmas + paternity leave. Merged, will push a release ASAP.
Version 1.13 with this fix just released. Hopefully that solves the problem. Thanks both!
Thanks for the update – much appreciated.
Now we need to wait and see if WordPress’s “full review” allows the plugin back into the repository! I don’t know how you’d ask them to review it now that the update is in place.
I suppose that I’ll get the updated version from your GitHub repository in the meantime.
JetPack also, I assume, still thinks that this plugin has a vulnerability, and won’t likely remove its warning until the new version is available in the repository again, is that right?
Anyway, thanks again Phil, for making this available. I’m glad to see that you haven’t totally abandoned it!
What you hadn’t seen was that I got an email from wordpress before this issue alerting me to the problem and explaining that it had been disabled. I replied to that last night asking for it to be re-reviewed, so hopefully it’ll be approved soon.
I’m not sure how Jetpack works, but I assume it’ll be related.
