Reflected Cross Site Scripting (XSS) vulnerability

  • Resolved Autosoft B.V.

    (@autosoftbv)


    1 year, 4 months ago

    Our WP toolkit (Plesk) informed us there’s a vulnerability.
    Please fix.

    WordPress Date Picker by Input WP – Sync bookings with external Calendars (.ics) plugin <= 2.2 – Reflected Cross Site Scripting (XSS) vulnerability

Viewing 10 replies - 1 through 10 (of 10 total)

  • Hi there,

    Thank you for notifying us about the potential vulnerability in our WordPress Date Picker plugin. Could you please provide more details or logs of the issue? This will help us promptly address and resolve the problem with the assistance of our developers.

    Your cooperation is highly appreciated.

    Best,

    Niel, Input WP Support Team

    Thread Starter Autosoft B.V.

    (@autosoftbv)

    Unfortunately I dont have any more detailed info about this issue,
    it was automatically reported by our Plesk server WordPress Toolkit.

    If you can point me in any direction how to create the logs and/or info you need, I will try to provide it to you.

    The only info i have right now:

    “WordPress Date Picker by Input WP – Sync bookings with external Calendars (.ics) plugin <= 2.2 – Reflected Cross Site Scripting (XSS) vulnerability”

    Thread Starter Autosoft B.V.

    (@autosoftbv)

    It was also just reported by Wordfence.
    Supposedly it’s caused by Freemius SDK

    Your plugin uses version 2.4.3 of the SDK
    it should at least be version 2.5.10 according to Freemius


    https://www.wordfence.com/threat-intel/vulnerabilities/detail/freemius-sdk-259-reflected-cross-site-scripting-via-fs-request-get

    Hi there,

    Thanks for letting us know about the issue! We’ll pass it to our devs for a closer look. We’ll keep you posted! ??

    Best,

    Niel, Input WP Support Team

    I can confirm that I too was warned today about this vulnerability from Wordfence.

    Any news on an update about this? If not I will need to find an alternative plugin.

    Hi there,

    Thanks for sharing your concern. I’ve already reported the vulnerability to the developers. Thanks for your patience.

    Best,

    Niel, Input WP Support Team

    Efs

    (@stevendigital)

    Hello @nielorit

    Today I also saw this vulnerability popping up in Wordfence that affects your plugin :

    Freemius SDK <= 2.5.9 – Reflected Cross-Site Scripting via fs_request_get

    Please check on this matter. Here is the whole report from Wordfence.

    Best Regards

    Thread Starter Autosoft B.V.

    (@autosoftbv)

    Any updates on this? @nielorit

    Hello Autosoft,

    We’ve just rolled out the fix for the Freemius vulnerability by updating to v2.5.10 today. ?? Here are the details:

    • Fix Freemius vulnerability by updating to v2.5.10
    • Tested for compatibility with WordPress v6.3.1
    • Tested for compatibility with Contact Form 7 v5.8
    • Tested for compatibility with Divi v4.22.1

    Thanks for keeping an eye out, and let us know if you need anything else!

    Best,

    Niel, Input WP Support Team

    Thread Starter Autosoft B.V.

    (@autosoftbv)

    Thank you for the fix.
    Everything seems to be working properly.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Reflected Cross Site Scripting (XSS) vulnerability’ is closed to new replies.