Fix for XSS Vulnerability?

  • Resolved redkite

    (@redkite)


    3 years, 8 months ago

    Will there be a fix coming for this?

    SEO Redirection <= 6.3 – Authenticated Reflected Cross-Site Scripting (XSS) reported by iThemes Security, first posted 3/16/2021?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Anonymous User 17160716

    (@anonymized-17160716)

    The risks are low, as this attack vector requires administrative rights. In such cases, this vulnerability indicates rather a flaw in the plugin code by the author and that he should use best practices in development and think about security.

    Theoretically, from the side of an attacker, such vulnerabilities allow hiding (if this is an persistent/stored XSS) malicious code inside the administrative panel, but this, once again, requires administrator access to the WordPress dashboard. The Reflected XSS attack vector requires the participation of the website administrator, that is, the administrator must follow the link containing the malicious code. And here we have several nuances: 0. the site administrator may not follow the link with the malicious code simply because of the human factor; 1 – links with malicious code require obfuscation or shortening, which can alert the website administrator and he will not follow such a link, which means that the payload will not work and the hacker will not get what he wants.

    • This reply was modified 3 years, 7 months ago by Yui.
    • This reply was modified 3 years, 7 months ago by Jan Dembowski.

    Hi,

    We have fixed the issue

    Regards

    What about the new vulnerability? Will you work on that?

    https://m0ze.ru/vulnerability/%5B2021-05-01%5D-%5BWordPress%5D-%5BCWE-79%5D-SEO-Redirection-WordPress-Plugin-v6.4.txt

    Is it new or similar to 6.3?

    • This reply was modified 3 years, 4 months ago by seemannslohn.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Fix for XSS Vulnerability?’ is closed to new replies.