XSS Vulnerability

tuesdave,
First – thanks for bringing this to our attention, although it is not a crucial item because the content is coming from a verified feed and we control the feed (which is verified when it comes into your site).

That said, I want to point out something – NEVER post a security vulnerability to a public forum before contacting the creator and giving them a chance to fix it and release a patch – otherwise you are letting the rest of the world (hackers included) know the problem that has no current solution. Then after the fix is available, you can post about it to let others know they need to update because of a security issue. This is called “Responsible Disclosure”.

In this case it is not that big of a deal because a hacker would need to gain access to your admin area first and then pass bad data to the feed, so it is very unlikely to happen unless your site is already compromised.

We will be updating the plugin in the next few days (probably by Monday) and I will make sure this fix is in the update.

Again, thanks for letting us know.
Warmest regards,
Don

Not a problem, just a learn-able moment!

An update on the issue:
I have reached out to the Simplepie/WordPress community find out if this is really an issue or not. Upon further investigation on our part, this part of the code is related to the SimplePie function get_content() and not the WordPress get_the_content() function (which should be escaped when not using the_content()). So looking through their documentation, they show direct output like above – probably because that function uses a sanitize function on the data before returning it.

I am waiting for clarification on this so I will post the outcome here. If we do not hear back from anyone in time for the update, we will just assume that is should be escaped and will add that to the plugin update.

Warm regards,
Don