Hi,
Thank you for the report. We’ve reviewed the vulnerability described at https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gumroad/gumroad-300-authenticated-contributor-stored-cross-site-scripting, and it appears to be a false positive.
The vulnerability description suggests that both admins and contributors to your WordPress website can insert malicious scripts using this plugin. However, this is not accurate. The Gumroad plugin permits the inclusion of product URLs following a specific format from the gumroad.com website. It does not allow other URLs. These URLs are then displayed as Modal Overlay or Embed widgets within posts using Gumroad’s embed script, as per its intended functionality.
You can examine the URL input validation in the Gumroad plugin’s source code, available at https://github.com/gumroad/wp-gumroad/blob/master/gumroad/src/gumroad-block/block.js. You can also review how the plugin injects Overlay or Embed widget code into your pages here: https://github.com/gumroad/wp-gumroad/blob/master/gumroad/includes/misc-functions.php. The injected code by this plugin is identical to the embed code that you can manually copy and add to your website without using this plugin, accessible at https://app.gumroad.com/widgets.
We are currently attempting to contact the individual who reported this as a vulnerability to gain a better understanding of the necessary steps for marking it as resolved. It’s important to note that this vulnerability does cause any security issues or side effects beyond the intended functionality. In the interim, we recommend ignoring this reported vulnerability.
Thanks.
