Matt Enser
Forum Replies Created
-
Thank you @carlosblazquez4global that worked for me.
Hopefully a fix will come soon.
In case this helps anyone else we think the issue was that in Constant Contact I was using Rotating Refresh Tokens instead of Long Lived Refresh Tokens. Hope this fixes the issue.
Thanks I just submitted a ticket
Forum: Plugins
In reply to: [WP Search with Algolia] Code Shows Up In Auto Suggest + Content Type Search?Thank you @tw2113 for all your help! I was able to finish getting this setup and I used custom rules to filter based on the WPML data. Marking this as resolved.
Forum: Plugins
In reply to: [Master Slider - Responsive Touch Slider] Security vulnerabilityFor what it’s worth, I had Cursor review the Wordfence message and the plugin file,s and it provided this insight and update. If you update the includes/msp-shortcodes.php plugin file, you likely will be safe until they come up with an update. Assuming they don’t completely abandon the plugin.
Summary of the vulnerability
- Issue: In version 3.11.0 of Master Slider (master-slider.php shows Version: 3.11.0), the ms_slider shortcode accepts many attributes that are later interpolated directly into an inline <script> block in includes/msp-shortcodes.php without proper sanitization and escaping.
- Impact: A contributor-level user can create or edit a post and insert a malicious shortcode like [ms_slider id=”1″ layout=”…JS payload…”]. Because several attributes (layout, direction, fill_mode, view, parallax_mode, Flickr/Facebook parameters) were injected into JavaScript without esc_js() and only weak/no validation, this could break out of strings and run arbitrary JavaScript in visitors’ browsers.
- Classification: This matches Wordfence’s description of authenticated stored XSS due to insufficient input sanitization and output escaping 1.
What I changed to harden the pluginAll changes are in includes/msp-shortcodes.php inside msp_masterslider_wrapper_shortcode.1. Sanitize and validate shortcode attributesRight after the shortcode attributes are merged and extracted:
$mixed = shortcode_atts( /* … defaults … */, $atts , ‘ms_slider’ );
extract( $mixed );
<canvas width=”0″ height=”48″></canvas><canvas width=”0″ height=”48″></canvas>I added a sanitization block that:
- Normalizes scalar values:
$id = absint( $id );
<canvas width=”0″ height=”30″></canvas><canvas width=”0″ height=”30″></canvas>
- Whitelists layout/JS mode options to known-good values:
$layout = in_array( $layout, array( ‘boxed’, ‘fullwidth’, ‘partialview’, ‘fillwidth’ ), true ) ? $layout : ‘fillwidth’;
$direction = in_array( $direction, array( ‘h’, ‘v’ ), true ) ? $direction : ‘h’;
$fill_mode = in_array( $fill_mode, array( ‘fill’, ‘fit’, ‘stretch’, ‘center’, ’tile’, ‘fillrepeat’, ‘none’ ), true ) ? $fill_mode : ‘fill’;
$layers_mode = in_array( $layers_mode, array( ‘center’, ‘full’ ), true ) ? $layers_mode : ‘center’;
$parallax_mode = in_array( $parallax_mode, array( ‘swipe’, ‘mouse’, ‘scroll’, ‘off’ ), true ) ? $parallax_mode : ‘swipe’;
$view = preg_replace( ‘/[^a-z0-9_-]/i’, ”, $view );
$slider_type = in_array( $slider_type, array( ‘custom’, ‘flickr’, ‘facebook’, ‘post’ ), true ) ? $slider_type : ‘custom’;
<canvas width=”0″ height=”148″></canvas><canvas width=”0″ height=”148″></canvas>
- Sanitizes external source configuration used inside JS:
$flickr_key = sanitize_text_field( $flickr_key );
$flickr_id = sanitize_text_field( $flickr_id );
$flickr_type = sanitize_text_field( $flickr_type );
$flickr_size = sanitize_text_field( $flickr_size );
$flickr_thumb_size = sanitize_text_field( $flickr_thumb_size );
$facebook_username = sanitize_text_field( $facebook_username );
$facebook_albumid = sanitize_text_field( $facebook_albumid );
$facebook_type = sanitize_text_field( $facebook_type );
$facebook_size = sanitize_text_field( $facebook_size );
$facebook_thumb_size = sanitize_text_field( $facebook_thumb_size );
<canvas width=”0″ height=”210″></canvas><canvas width=”0″ height=”210″></canvas>This ensures even if a contributor passes hostile shortcode attributes, they’re reduced to safe, expected formats before any output.2. Properly escape values embedded into JavaScriptInside the inline script where the slider instance is configured, I updated string injections to use esc_js():
- Slider setup options:
layout : “<?php echo esc_js( $layout ); ?>”,
fillMode : “<?php echo esc_js( $fill_mode ); ?>”,
layersMode : “<?php echo esc_js( $layers_mode ); ?>”,
dir : “<?php echo esc_js( $direction ); ?>”,
view : “<?php echo esc_js( $view ); ?>”,
<canvas width=”0″ height=”102″></canvas><canvas width=”0″ height=”102″></canvas>
- Parallax mode:
<?php if ( ‘off’ != $parallax_mode ) {
echo “\t\t\t\t\t\tparallaxMode : ‘” . esc_js( $parallax_mode ) . “‘,\n”;
} ?>
<canvas width=”0″ height=”66″></canvas><canvas width=”0″ height=”66″></canvas>These changes stop JavaScript string breakouts via attributes like layout, direction, view, or parallax_mode.3. Escape Flickr and Facebook JS configurationThe code that instantiates external-source controls previously embedded raw attributes in JS:
// OLD (vulnerable)
printf(
“new MSFlickrV2( %s, { key:’%s’, id:’%s’, count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,
$instance_name, $flickr_key, $flickr_id, $flickr_count, $flickr_thumb_size, $flickr_size, $flickr_type
);
$facebook_username_prop = empty( $facebook_username ) ? ” : sprintf( “username:’%s’, ” , $facebook_username );
$facebook_albumid_prop = empty( $facebook_albumid ) ? ” : sprintf( “albumId :’%s’, ” , $facebook_albumid );
printf(
“new MSFacebookGallery( %s, { %s %s count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,
$instance_name, $facebook_username_prop, $facebook_albumid_prop, $facebook_count, $facebook_thumb_size, $facebook_size, $facebook_type
);
<canvas width=”0″ height=”256″></canvas><canvas width=”0″ height=”256″></canvas>Now they are escaped and cast safely:
// NEW
if ( ‘flickr’ == $slider_type ) {
printf(
“new MSFlickrV2( %s, { key:’%s’, id:’%s’, count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,
$instance_name,
esc_js( $flickr_key ),
esc_js( $flickr_id ),
(int) $flickr_count,
esc_js( $flickr_thumb_size ),
esc_js( $flickr_size ),
esc_js( $flickr_type )
);
}
if ( ‘facebook’ == $slider_type ) {
$facebook_username_prop = empty( $facebook_username )
? ”
: sprintf( “username:’%s’, ” , esc_js( $facebook_username ) );
$facebook_albumid_prop = empty( $facebook_albumid )
? ”
: sprintf( “albumId :’%s’, ” , esc_js( $facebook_albumid ) );
printf(
“new MSFacebookGallery( %s, { %s %s count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,
$instance_name,
$facebook_username_prop,
$facebook_albumid_prop,
(int) $facebook_count,
esc_js( $facebook_thumb_size ),
esc_js( $facebook_size ),
esc_js( $facebook_type )
);
This prevents a malicious shortcode from injecting JavaScript via Flickr/ Facebook configuration.Result
- The vulnerable paths identified by Wordfence (shortcode attributes ending up in inline JS) are now both:
- Sanitized (normalized and cleaned before use), and
- Escaped with esc_js() at the point of output.
- This blocks a contributor from using a crafted shortcode to inject arbitrary JavaScript into the front-end, addressing the stored XSS described in the advisory.
- Lint checks on msp-shortcodes.php pass with no new errors.
Thanks @cherkassy this worked for me!
Forum: Plugins
In reply to: [WP Search with Algolia] Code Shows Up In Auto Suggest + Content Type Search?For the code issue it seems that if I update the pages in question the code gets fixed maybe that is how you reindex a page specifically?
Forum: Plugins
In reply to: [WP Search with Algolia] Code Shows Up In Auto Suggest + Content Type Search?Thank you @tw2113 I really appreciate the help but I have a few follow up questions.
Code Shows Up In Auto Suggest
- Is there something I should check on my end to make sure this is working? Is there a setting to turn on?
- I will try updating the php code based on that documentation thank you.
- I have reindexed the whole site multiple times so that would include that post, but how do I reindex one page specifically? I don’t see an option for that.
New Questions:
- Would the multilanguage aspect of this site be a contributing factor? We use WPML Plugins to create two versions of each page one for english and one in spanish. I ask because the pages that have issues seem to be the spanish pages. Not all spanish pages are having issues but the ones that do seem to be spanish.
- On the Algolia side, the context of one of the pages in question seems to be exactly what is showing up in the auto-complete, so not sure if that tells us anything. Here is a screenshot.
Is Content Type Specific Search Possible?
This seems to be what I am looking for, so will see if I can emulate this and let you know if I have any questions. Thank you.
Okay thank you. I just submitted a support ticket.
Forum: Plugins
In reply to: [Master Slider - Responsive Touch Slider] Security vulnerabilityMaster Slider replied: “Our team will implement the necessary changes following further investigation.”
This doesn’t seem promising that it will be soon. Hopefully they will fix soon.
Thank you @registrationmagicsupport.
When I update the shortcode to have the S, the whole form doesn’t work, but with the old format, the form does work. Here is a screen recording.
Since the form doesn’t work this is kinda step backwards and unsure if this fixes the reCAPTCHA issue.
Just tested with reCAPTCHA turned off and it does work then, so it is definitely an issue with that somehow. For now I am leaving reCAPTCHA off so people can sign up, but I need to turn it back on so we have the protection.
- This reply was modified 5 months, 3 weeks ago by Matt Enser.
Forum: Plugins
In reply to: [Master Slider - Responsive Touch Slider] Security vulnerabilityI see the same error and tried filling out the chat contact form on their site to see if they will take action on fixing this.
Not sure if this is the same issue on my end but when I updated the tickets and the event calendar plugin, all my events calendar pages stopped working, and many are going to 404.
When I reverted back to the old version of the plugin this issue went away.
Okay it seems good for now hopefully it stays connected this time.
