Cross Site Scripting (XSS) vulnerability

Greetings: Do you plan to issue an update? Thanks for any help you can provide.

Best,

Mark

Hope you can fix it too.

Everyone: FYI:
“This only affects multi-site installations and installations where unfiltered_html has been disabled.”

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-nested-pages/nested-pages-326-authenticated-administrator-stored-cross-site-scripting

We’re also looking forward to the security issue to be resolved.

Cheers!

@nvg… Thanks!

How can we tell if “unfiltered_html has been disabled.” ?

Cheers.

@korg007 you need to install a plugin that allows you to see and modify user roles.

By default, I think the Administrator and Editor roles have unfiltered_html enabled. You may want to disable this feature for all roles.

unfiltered_html is useful if you must add iframes in your design – which are considered dangerous. However, that would also be the case when your website allows visitors to leave comments (a hacker could insert a malicious iframe and other visitors would be in danger).

Obviously, this is the simplest , most common scenario, there may be others I am not aware of – I just did some research and found the above.

Hope it helps.

Thanks @crisicon,

We do have such a user/access plugin so are vulnerable. Hoping the fix comes soon.

Thanks for your reply ??

Also hoping for a fix soon!

Greetings!
Security is of utmost importance.

Any chance the dev could provide an update of sorts, please? That would be much appreciated by the users of this useful plugin.

Yes it’s been more than two weeks now…!

For all those who don’t want to wait any longer, I switched the affected project to “F4 Post Tree” plugin: https://de.www.ads-software.com/plugins/f4-tree/

Can very much recommend this as you get a page tree at the left side of the page list (similar to TYPO3 if somebody knows it) and that’s even more useful in my opinion.

@claudiaiw

Thanks for the recommendation but that is nothing like this plugin whereas Nested Pages replaced the clunky default WordPress page and post list entirely and makes it more manageable. Plus your recommendation doesn’t work with custom post types.

Thanks, but I’ll hold out for an update here.

@viablethought, I agree. It’s not on par. Still, thanks to @claudiaiw for the recommendation.

What’s odd is that www.ads-software.com hasn’t delisted this vulnerable plugin. They normally do after giving the devs a short grace period to patch the security hole.

FWIW, I found the developer’s email address on Github where the plugin is listed. I emailed him directly, just in case he’s not seeing these messages.

I hope he’ll respond. Fee free to reach out to him as well, in case my email goes to spam and he doesn’t see that either. Fingers crossed.

@gillesgagnon

I have posted the issue on Github which he should see.

https://github.com/kylephillips/wp-nested-pages/issues/351

Unfortunately, his plugins are not his full time gig, he may be busy with that or there is a lot of illness going around, could be laid up with that? Who knows. Dude is super talented and builds great stuff, if there was some type of “pro” version I would certainly support the cause, especially with this plugin – which should be part of core anyway.

@viablethought… well said. Thanks for also posting on github. Hopefully it’s not a health issue.

Hi all,

Alive and healthy. I’m unfamiliar with Patchstack, so I’ve reached out to them for specifics on the report, since the wording is a little vague. Once I receive additional information that will help identify the specific reason for the report I’ll patch and release.