iThemes Security reports XSS vulnerability in this plugin

  • Resolved anotherdave

    (@anotherdave)


    1 year, 4 months ago

    iThemes Security scans just started reporting this plugin as vulnerable.

    Since both the Restrict Content plugin and iThemes Security are both part of StellarWP, I wondered – could this be a false-positive?

    But then according to the PatchStack report at https://patchstack.com/database/vulnerability/restrict-content/wordpress-restrict-content-plugin-3-2-4-reflected-cross-site-scripting-xss-vulnerability apparently this is a verified issue because Restrict Content still implements the Freemius library.

    I just read this review of Restrict Content – https://www.ads-software.com/support/topic/please-remove-freemius/#post-16073058 – from 9 months ago, and although I agree that it should not have warranted a 1-star review, it turns out that the reviewer was onto something.

    Now I wonder – will this become something that StellarWP is going to patch? Or will this become something that every plugin using the Freemius library versions 2.5.10 will be affected by and is ultimately the solution is going to be a patch from Freemius?

    I’m sure it will get sorted, given the popularity of all plugins under StellarWP and the fact that Restrict Content is such a great plugin, but I must admit it’s a little disconcerting at the moment.

    Any input from devs?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor Israel Barragan

    (@reedyseth)

    Hi @anotherdave , thank you for your report. We are going to make sure that we update the Freemius library to the latest version since this XSS is not in core RC.

    Thread Starter anotherdave

    (@anotherdave)

    @reedyseth thanks for the response. We’re looking forward to the update and the security alert notices to stop.

    Thank you for the update. I have taken over site for a new customer who has been compromised in the past and these messages are making them nervous. Can we have an ETA on this please?

    A question for anyone who has the answer:

    Would upgrading to the premium version resolve this issue in the meantime?

    Thread Starter anotherdave

    (@anotherdave)

    I must admit, it seems a bit ironic that iThemes Security basically promotes / is part of this plugin – https://help.ithemes.com/hc/en-us/categories/360004039733-Restrict-Content-Pro – and yet iThemes Security itself is still sending email alerts from it’s scans twice a day that this is Reflected XSS Vulnerable.

    Plugin Contributor Israel Barragan

    (@reedyseth)

    We are releasing the patch update in the first days of August. Thank you for your patience. Just for the record we are also removing Freemius in the following versions of RC.

    Thread Starter anotherdave

    (@anotherdave)

    Thanks so much for the update and releasing the patch. On August 7th iThemes finally stopped the warnings and marked the plugin as clean.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘iThemes Security reports XSS vulnerability in this plugin’ is closed to new replies.