patrick1994

thanks ??

They marked it as fixed.

Same link as yours: https://patchstack.com/database/vulnerability/flo-forms/wordpress-flo-forms-plugin-1-0-40-cross-site-scripting-xss-vulnerability?_a_id=431

Please fix the critical stuff, at least or bump the PHP version requirements.

The only critical problem with PHP 5.6 compatibility I see is this:
advanced-access-manager/application/Core/Jwt/Manager.php line 366
protected function jsonEncode(array $input): string

The other stuff appears fine to me or is used for command line stuff judging by the name “cli.php”, which appears like people can live with being broken on PHP 5.

• This reply was modified 1 year, 8 months ago by patrick1994.

Hi there,

I don’t see an update nor a “won’t fix” explanation.

The security nerds over here say it is still not fixed: https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/

The security nerds over here say it is still not fixed: https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/

Not completely, though, right?

CTRL+F for “??” here:

https://github.com/wp-statistics/wp-statistics/blob/development/includes/admin/templates/pages/pages.php

I disagree with this solution of adding a fake name [uactf7_step_end fake-name] or [uactf7_step_end end] or whatever you want to call it. There is a real fix and you should go through this plugin and check if it needs to be applied elsewhere, too.

The last param in the code below (“true”) needs to go away.
Here: plugins/ultimate-addons-for-contact-form-7/addons/multistep/multistep.php line 19
wpcf7_add_form_tag( ‘uacf7_step_end’, array( $this, ‘step_end_tag_handler’ ), true );

Because this param enables a name attribute for this tag and from Contact Form 7 5.7.3 onwards (I did test 5.7.2 to verify), if a name attribute is supported, it has to be provided, else the tag is shown as is (it says “[uacf7_step_end]” on the page so you need to say “[uacf7_step_end fake-name]” for it to work as expected).

Same issue and solution as with the Image Captcha plugin, see this thread, also by me: https://www.ads-software.com/support/topic/captcha-no-longer-displayed-because-it-supports-a-name-attribute/

Since some people have already applied your solution, it would be a reasonable worry that my fix would break things. But I did verify that both [uacf7_step_end] and [uac7f_step_end end] work, so nothing should break.

thanks for answering

The author of the image captcha plugin had fixed it.

Thanks for the quick fix. ??

I have reported this problem to the CF7 people, too, in case they care.

https://www.ads-software.com/support/topic/if-a-name-attribute-is-supported-now-you-have-to-use-it-5-7-3/#new-topic-0

Update: The parent directory coincidentally also contained a includes/defines.php (a Joomla installation).

So I can fix it in my case by removing ‘..’ from the include_path. Though, the conclusion remains: Please replace
require_once ‘includes/defines.php’;
with
require_once __DIR__ . “/” . ‘includes/defines.php’;
in wp-statistics.php

Ok, don’t close just, yet, please. A solution will be posted. Maybe by myself.