During a security scan, I encountered the following issue related to your plugin. Has this been resolved in the latest version, or what is the exact status of this bug?
Issue:?Cross-site scripting (DOM-based)
Issue detail: The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.hash and passed to jQuery().
Path: /wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.min.js
References
Web Security Academy: Cross-site scripting
Web Security Academy: DOM-based cross-site scripting
Vulnerability classifications
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-116: Improper Encoding or Escaping of Output
CWE-159: Failure to Sanitize Special Element
CAPEC-588: DOM-Based XSS
https://patchstack.com/database/vulnerability/weather-atlas/wordpress-weather-atlas-widget-plugin-3-0-1-cross-site-scripting-xss-vulnerability?_a_id=431
]]>Version 2.5.5 has a Cross-Site Scripting Vulnerability: https://patchstack.com/database/vulnerability/svg-support/wordpress-svg-support-plugin-2-5-5-authenticated-author-cross-site-scripting-via-svg-vulnerability
]]>I get the token without any problems!
For security settings, I’m using the NinjaFirewall (WP Edition) plugin (free).
When I send a content update request via RESTAPI (post,patch,put) I get the following error: 403
Log: 6558685 CRITICAL 115 my_IP PATCH /index.php – Cross-site scripting – [RAW:PATCH = {“content”: “<p style=\”font-size:18px…..
I work via token as admin if I enable Debugging mode (Firewall Options) the log:” 2947131 DEBUG_ON 115 my_IP PATCH /index.php – Cross-site scripting – [RAW:PATCH = {“content”: “<p style=\”font-size:18px\”
But the post is updated, the request passes. How can I fix it?
]]>“What is the problem?
“The plugin is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘hover_animation’ parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.See more technical details of this threat
How to fix it?
Update to Elementor 3.22.0-beta2
]]>I can’t even go to the selected page MYSELF and whitelisting does nothing. I shall ask that plugin too but this apparently just started, though they have had it in the past. I do think its slowing down the site and these seem to be legitimate requests (some are coming direct from google) and the plugin does rely on their API.
Any suggestions?
Hey guys, is there an update on the way, I have disabled the plugin on my site but would really like to keep using it!
]]>