History Timeline <= 1.0.6 – Author+ Stored Cross-Site Scripting

  • Hello, yesterday install the plugin cause i need a timeline funcionality. But my scanner detect the following:

    The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks

    Classification

    Type: XSS
    OWASP top 10: A7: Cross-Site Scripting (XSS)
    CWE: CWE-79

Viewing 3 replies - 1 through 3 (of 3 total)

  • Thanks for posting this, Jair. I have been hoping for this to be patched for months. I would really like to know if they have any plans to do so, as I’ve used this plugin extensively and had to take that portion of my site offline.

    Plugin Author themesawesome

    (@themesawesome)

    Hello,

    Thank you for your attention about the plugin.
    We’re planning to update all of ours plugins within this month, also fixing any issue found.

    As per XSS issue, this plugin has been tested and passed the test. It would be great if you could provide us the source of the issue.

    Cheers ??

    Hello,

    We have provided all the information we have about this issue via private email. It’s been months now and you have yet to provide a patch, so I thought I’d try one last time before uninstalling this plugin and rebuilding the timeline using some other plugin or layout.

    Thank you for your attention to this important concern.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘History Timeline <= 1.0.6 – Author+ Stored Cross-Site Scripting’ is closed to new replies.