Vulnerability

Hello @tamar

Thank you for getting in touch with us!

I am sorry for the inconvenience caused.

This issue report was related to the HTML tags and the user’s input.
?
But in the CartFlows & CartFlows Pro, we haven’t provided an HTML tags option in any widget. Also, the name of the file which is mentioned in the report is being used to only load and include the files, and there are no options to take inputs from the user.

These files which are getting loaded are of CartFlows modules provided for the Elementor and those modules do not have any options which are used to accept the input from the user as well as the HTML tags.
?
So, reported the vulnerability looks false positive. Also, to make it more secure, we have added a file that exists a condition in that code and has prepared an update that is already scheduled.
?
That code will only load the module files of the CartFlows & CartFlows Pro plugin, respectively.
?
The conclusion is that this reported vulnerability was related to the HTML Tags and the inputs accepted by the users. Both the cases do not exist in the CartFlows as well as CartFlows Pro.

We are contacting Virusdie tool, regarding the false positive reports.

I hope this clarifies you.

Please let me know in case you have any questions. I will be happy to assist you.

Thank you. Virusdie confirmed it was a false positive.

That being said, I posted this in the Cartflows Facebook group after not getting a response here in 2 days and 23 hours, and instead of responding to it there, the pending post was deleted and it was responded to here instead only. I think it would’ve been prudent not to silence me in the group you controlled but instead shared the update there as well. You did right in your response above, but it made me feel as if I did something wrong by raising it in the Facebook group.

• This reply was modified 3 years, 11 months ago by tamar.

Hello @tamar

Thank you for providing confirmation on this and I am glad that it is a false positive report.

Our developers do not monitor this forum regularly for support questions but they offer an even faster and better experience through our Support Portal. Due to which there might be a delay in the response here on the WordPress Forum questions.

Anyways, we do take all the reports seriously as this one but we do try not to create a panic among the users by allowing specific/certain posts related to security that is why the post in the FB might be not approved by the admin.

On the same note, as this issue is a false positive. If you face any such issues in the future do let us know. I will be happy to help you.

I hope this helps you.

Feel free to get in touch in case you need any help or assistance.

Your answer in saying it was a false positive would’ve been sufficient to prevent the panic. Instead, I waited for someone to reply here.

Hi Tamar, Adam here, one of the co-founders of CartFlows.

As stated, we take any security related issue serious. What I can say is, when anything like this is reported to us, the best course of action is not to post about it publically until after its investigated and its determined if an issue truly exists.

In this case, the responsible thing for us to do to protect all of our users is to not post information publically right away. Publicizing an active vulnerability puts everyone in jeopardy. The responsible course of action is to only post public information if a vulnerability did exist and after we resolved it.

Creating software is a huge responsibility when its being used on almost 200k websites. Our private support desk is always there for you to take up issues like this.