Freemius SDK <= 2.5.9 – Reflected Cross-Site Scripting via fs_request_get

Hi,

Why are you creating here a topic with name “Reflected Cross-Site Scripting via fs_request_get” while this has nothing to do with our plugin?

Our plugin is not using Freemius and never did.

Regards,
Dmytro

I just reported what I did in response to the Wordfence notification (the link) of a vulnerability in your plug-in. It is no accusation from my part. I am just stating a fact.

If you can convince Wordfence that you are NOT using Freemius library in your plug-in then they will withdraw their accusation.

From my search I could discover there is a freemius folder in your plugin. If it is still used or not, I cannot tell. What I can tell is that it is not patched. I compared your freemius/includes/fs_core_functions.php with the patched version 2.5.10 at github.

May this (unused) folder caused a false positive in Wordfence’s scans? If you are convinced that you don’ t use Freemius (any more?) then you better remove that folder not to cause false positives in Wordfence’s scans.

• This reply was modified 1 year, 4 months ago by erniecom.
• This reply was modified 1 year, 4 months ago by erniecom.

Hi,

ok, the problem is in another place. If you have freemius folder in the plugin – you are using NOT OUR plugin. I suppose you are using this plugin https://www.ads-software.com/plugins/min-and-max-quantity-for-woocommerce/

Regards,
Dmytro

Oooh, I am so sorry! By accident I clicked the wrong link when I Googled for the plugin name that Wordfence quoted in the notification email. The search result lists your plug-in indented under the plug-in I should have clicked. They seemed to belong together. Plugin names are confusingly similar, but still my fault. I will follow a different workflow to avoid this in the future.