XSS Vulnerability | ww.wp.xz.cn

Resolved nymeria55
(@nymeria55)

3 years, 2 months ago

Hi,

According to Patchstack, there is a high severity vulnerability in this plugin: https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-contact-form-7/wordpress-drag-and-drop-multiple-file-upload-pro-contact-form-7-standard-plugin-2-11-0-reflected-cross-site-scripting-vulnerability?_a_id=110

I’m using the free version of the plugin and I’m currently running on version 1.3.6.7, which seems to be the latest available version (and not 2.11.0 which Patchstack states). Is this a false alarm or how can I update my current version?

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author Glen Don Mongaya
(@glenwpcoder)

3 years, 2 months ago

Hello @nymeria55

The vulnerability has been fixed on recent update which is the latest version 1.3.6.7.

The link you have provided is for the pro version only.

Here’s for the free version patch link – https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-contact-form-7/wordpress-drag-and-drop-multiple-file-upload-contact-form-7-plugin-1-3-6-5-multiple-csrf-vulnerabilities?_a_id=241

There’s no need to worry everything is updated.

Thanks for letting me know.

Thread Starter nymeria55
(@nymeria55)

3 years, 2 months ago

Thank you for the quick reply, @glenwpcoder!

Alright, that makes sense. Good to know I’m on the safe side.

However, I’m not sure to whom I’d have to report that, but the extension “WP Toolkit” led me to that patch link. It still shows me that I need to update and is bothering me with warnings, even tough I’m not using the Pro version. It feels like the reported vulnerability is not flagged as only affecting the Pro version.

Thanks again for your help.

Plugin Author Glen Don Mongaya
(@glenwpcoder)

3 years, 2 months ago

They will eventually check if there’s new release of the plugin so they can update the status of the issue.

Thread Starter nymeria55
(@nymeria55)

3 years, 2 months ago

Perfect, thanks!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘XSS Vulnerability’ is closed to new replies.

6 replies
2 participants
Last reply from: nymeria55
Last activity: 3 years, 2 months ago
Status: resolved