PCI Compliance Issue – jquery-ui 1.11.4

Hello @colewebdev – thanks for writing in and apologies for the inconvenience.

Please, could you make sure your?Popup Maker plugin?is updated to its?latest version? As we need to eliminate this as a potential cause of the issue before going any further in our investigation. Also, keeping a plugin up to date is generally a good rule of thumb, as bugfixes along with new features are generally implemented on a regular basis.

If that helps, then we would very much appreciate it if you could quickly?rate the plugin, just to help us spread the word.

Otherwise, for us to assist you further with your issue, you will need to escalate it directly to our HelpScout support desk. Check out this link:?https://wppopupmaker.com/support/?Thank you.

Yes, we’re using the latest version (1.12.0) and the issue still exists.

Thanks for sending us an update, Josiah.

Now, for us to assist you further with this, you will need to escalate it directly to our HelpScout support desk. Then, you can provide us temporary login access to your site if you want. This way, we can log in and we can take a closer look at the issue. Check out this link:?https://wppopupmaker.com/support/?Thank you.

Hey @colewebdev

Thanks for using Popup Maker and for reaching out concerning this compliance issue.

I did a bit of research yesterday to look into this and can now provide a bit more information.

Popup Maker, like most plugins should, uses the default JavaScript libraries that are built into WordPress itself. This is done so that plugins can be compatible with each other rather than sites having multiple different versions of any particular library. If each plugin handled its own popular libraries, then there would be many plugins and themes that would not be compatible with each other and could even cause issues on sites.

You can view the default JavaScript libraries, and their version, by looking at the documentation for the wp_enqueue_script here: https://developer.www.ads-software.com/reference/functions/wp_enqueue_script/#default-scripts-and-js-libraries-included-and-registered-by-wordpress

Now, the version of jQuery UI that is within WordPress itself is currently 1.11.4, which is less than 1.12 which is why you are getting the notice about the compliance issue.

Luckily, WordPress is already in the middle of a multi-release plan to update all aspects of jQuery with the first step taken in 5.5 to remove some of the older, no longer used systems. In WordPress 5.6, scheduled for release next month, the plan is to update many of the jQuery libraries, including jQuery UI, as discussed in their Trac ticket here: https://core.trac.www.ads-software.com/ticket/50564

Since Popup Maker uses the built-in functions and systems, it will automatically use the newer version as soon as it’s available in WordPress.

So, your site should be using the latest version as soon as WordPress 5.6 is released within the next month.

That said, I also dug into the specific issue with the version cited in your scan. This reported issue is that, in certain situations, jQuery UI below 1.12 could potentially be used by XSS attacks to inject scripts or HTML into the page.

Since Popup Maker only uses the jQuery UI within our own admin areas in only a handful of places, only in certain ways that do not affect any admin-capable functionalities, and use the proper security protocols, such as nonces when submitting any data and properly filtering data before sending data to the browser, there should not be any actual risk coming from Popup Maker for using jQuery UI 1.11.4.

Sorry for the lengthy response but I hope that explains the situation clearly enough. Feel free to let me know if you have any follow-up questions or concerns that I can answer.