Hi Jules,
I’ve not seen or heard of a report of this. Please elaborate where you found this and details on the issue.
Cheers,
Jeroen
Thanks for adding the link @ptaubman – I guess I should have included that 🙂
Thanks for the link. Though I cannot find any details on the actual vulnerability on that page. I checked the code again and it looks like everything is sanitized before updating the data. I do think there could be additional escaping of data, but this should only be affected if there’s compromised data written to the database in the first place (you probably have a different/larger issue if that happens), not sure if that would be enough for a XSS vulnerability and if that is what they’re referring to. Any additional information that can be provided would be helpful.
@sormano , a message with all the information was sent via the contact form on your website on 2024-07-01 at 13:10:32 (EEST). Since we got zero replies and no patched version was released, the vulnerability was disclosed.
Hi Darius,
Does not appear like I’ve received anything. Could you please reach out again with details through this page/form; https://jeroensormani.com/contact/
Thanks
@sormano check your Slack DMs on the official WordPress Slack.
Great, I’ll ping the triage team so they can validate the patch asap.
I got confirmation from the triage team, recently released version 1.0.12 has a sufficient patch. Thank you!
Thank you, @darius_fx, for your communication, and @sormano, thanks for taking care of this!
HI Jeroen
I wanted to let you know that I received a notification today that Patchstack is reporting an Arbitrary Content Deletion vulnerability on Dashboard Notes plugin <= 1.0.13
https://patchstack.com/database/wordpress/plugin/wp-dashboard-notes/vulnerability/wordpress-wp-dashboard-notes-plugin-1-0-13-arbitrary-content-deletion-vulnerability
Cheers!
Jules
@juleswebb it was reported via the https://jeroensormani.com/contact/ on 2024-11-09 at 11:38:44 (EEST).
@darius_fx the email landed in my spam folder and I found/replied to it on 14-11-2024, but never got a reply.
@sormano I tried to search for emails with a specific report UID or sent from the domain name jeroensormani.com, but I have nothing in my mailbox. You got a report with all the details, but there’s still no patch available.
