Sahil Lavingia
Forum Replies Created
-
Forum: Reviews
In reply to: [Gumroad] Update needed for 2 1/2 yearsHi,
Thank you for the report. We’ve reviewed the vulnerability described at https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gumroad/gumroad-300-authenticated-contributor-stored-cross-site-scripting, and it appears to be a false positive.
The vulnerability description suggests that both admins and contributors to your WordPress website can insert malicious scripts using this plugin. However, this is not accurate. The Gumroad plugin permits the inclusion of product URLs following a specific format from the gumroad.com website. It does not allow other URLs. These URLs are then displayed as Modal Overlay or Embed widgets within posts using Gumroad’s embed script, as per its intended functionality.
You can examine the URL input validation in the Gumroad plugin’s source code, available at https://github.com/gumroad/wp-gumroad/blob/master/gumroad/src/gumroad-block/block.js. You can also review how the plugin injects Overlay or Embed widget code into your pages here: https://github.com/gumroad/wp-gumroad/blob/master/gumroad/includes/misc-functions.php. The injected code by this plugin is identical to the embed code that you can manually copy and add to your website without using this plugin, accessible at https://app.gumroad.com/widgets.
We are currently attempting to contact the individual who reported this as a vulnerability to gain a better understanding of the necessary steps for marking it as resolved. It’s important to note that this vulnerability does cause any security issues or side effects beyond the intended functionality. In the interim, we recommend ignoring this reported vulnerability.Thanks.
Forum: Plugins
In reply to: [Gumroad] Button disappearWhere is the button supposed to show up? I don’t see a link to Gumroad on your site.
Forum: Plugins
In reply to: [Gumroad] Script not being loadedHi,
Think I figured it out. You need to use the Gumroad shortcodes on the page for it to work. We’re working on removing that requirement in a future version.
Forum: Plugins
In reply to: [Gumroad] Script not being loadedAh, I think I figured it out. In your post you said you created “gum.com/” links. They should be either “gum.co” or “gumroad.com” –?let me know if that fixes it. Link me the page if not and I’ll debug further (your original link redirects to a different URL).
Forum: Plugins
In reply to: [Gumroad] Script not being loadedNot yet. Which version of WP are you using?
Forum: Plugins
In reply to: [Gumroad] Script not being loadedThat’s strange. I’ll take a look and get back to you.
Forum: Plugins
In reply to: [Gumroad] Gumroad WP plugin version getting oldJust updated! Sorry about the delay.