WP-optimize uses unsecure jquery

  • Resolved itngo

    (@itngo)


    2 years, 10 months ago

    Hi,
    why is WP-Optimize-Plugin even in latest Update still using old jQuery-Version?
    These Versions have several XSS Vulnerabilties. In my opinion this should be fixed asap!

    jQuery is vulnerable to Cross-site Scripting (XSS) attacks.
    Installed version: 1.6.3
    Fixed version: 1.9.0
    Installation
    path / port: /var/www/ak_it-ngo_com/web/wp-content/plugins/wp-optimize/vendor/mrclay/minify/builder/jquery-1.6.3.min.js

    CVE
CVE-2012-6708
CERT
DFN-CERT-2020-0590
CB-K18/1131
Andere
https://bugs.jquery.com/ticket/11290

    This creates an unnecessary risk for all Pages using WP-Optimize, isn’t it?

Viewing 2 replies - 1 through 2 (of 2 total)

  • @itngo Thanks for reporting the issue, I’ll check this with our development team to further investigate.

    Plugin Author David Anderson

    (@davidanderson)

    Hi,

    This file is bundled by a dependency that WP-O uses, but never loaded (since WordPress already loads its own version of jQuery). As such, it presents no security risk, so you don’t need to worry. (JavaScript can only present a security risk if requested by a user’s browser – as I say, this file never is).

    However, it is desirable to not trigger security tools unnecessarily since that brings overhead to everyone investigating the issue. Hence, in our next version, these files will be removed (which, since they’re unused, is the simplest solution). You can also manually remove them on your current install if you have a need to pass the scanner test before our next release.

    David

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WP-optimize uses unsecure jquery’ is closed to new replies.