Security vulnerability

  • Resolved jeffersonpowers

    (@jeffersonpowers)


    11 months, 2 weeks ago

    As of 4/10/2024 Wordfence is reporting a medium-severity security vulnerability for this plugin. Is there a timetable for how soon this will be patched and the plugin updated?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Hi @jeffersonpowers,

    Thanks for reporting, this issue was resolved way back in July of 2021.

    https://patchstack.com/database/vulnerability/ga-google-analytics/wordpress-ga-google-analytics-plugin-20210211-authenticated-persistent-cross-site-scripting-xss-vulnerability

    Scroll down a bit and check the Solution section, where it says clearly:

    “Solution: Update the WordPress GA Google Analytics plugin to the latest available version (at least 20210719).”

    Please let your security service know they are out of date (by a lot), thank you.

    Thread Starter jeffersonpowers

    (@jeffersonpowers)

    Thanks for your reply. Wordfence is reporting it as a new issue that affects the most recent version of GA Google Analytics:

    The GA Google Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several tracking fields in versions up to, and including, 20240308 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

    But you’re right, the references in their notification refer to the 2021 issue so its possible that this is a false positive. In any case, you may want to look into it and see what you can do to get this resolved with the Wordfence people, as other users who also use Wordfence might also be concerned.

    Plugin Author Jeff Starr

    (@specialk)

    Thanks I just sent them a request to update the post.

    I appreciate the report, @jeffersonpowers

    @specialk – sent you a similar message through X this morning, with a link to the actual Wordfence report. They’re saying the vulnerability is specific to v20240308.

    Plugin Author Jeff Starr

    (@specialk)

    Thanks, if you check the Patchstack reference in their post, it says that the issue is resolved in version 20210719.

    Plugin Author Jeff Starr

    (@specialk)

    Update: Wordfence has removed the incorrect report from their system. Please let me know if any further issues or questions, always glad to help. Thank you to Wordfence, @jeffersonpowers, and @memben for their help with this.

    @specialk: That’s great to hear, thanks again.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Security vulnerability’ is closed to new replies.