A security issue has been reported in your plugin.
This email is to officially notify you of the issue(s). You are expected to address them promptly.
What to do next
YOUR PLUGIN HAS NOT YET BEEN CLOSED.
YOU HAVE 30 DAYS FROM THE SENDING OF THIS EMAIL TO RESOLVE ALL SECURITY RELATED ISSUES. SHOULD ANY BE FOUND AT THAT TIME, AND NO FORWARD PROGRESS MADE IN CORRECTING THEM, YOUR PLUGIN WILL BE CLOSED.
We have taken into consideration your standing in the community and the size of your user base and opted to not close the plugin at this time. However, we do so with the understanding that you will read this entire email and take appropriate action promptly.
Normally we feel it would be putting users at risk if we allowed them to download code that could be exploited and, once an exploit is reported, it is often acted upon by persons nefarious. In this instance we have decided not to do so. We feel the danger of FUD (fear, uncertainty, and doubt) as well as the potential for putting more users in danger by closing your plugin outweighs our normal concerns.
Your next steps are:
Review this entire email
Verify the exploit
Make all needed changes to your code
Perform a FULL security check of your entire plugin
Increase your plugin's stable version
Disclose in your readme the fix (you are not required to include details)
Update the code in SVN
Reply to this email when you're done
Plugins that are trusted to handle security issues without closure, and who do not address those issues swiftly, will find their plugins closed later and this trust revoked.
The Report
We received an external report about a security issue in one of the WordPress plugins:
We've been trying to contact the vendor for more than 5 business days, and still no answer.
The vulnerability reported is the plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin. and we consider it a high-risk level. We confirmed the issue in the current version, 2.0.3.
In order to replicate the attack, we recommend you follow the Proof-Of-Concept we're sharing:
Please add the below shortcode as a Contributor to the post, then, as an Admin, preview the page and hover the mouse:
The reporter has offered to assist you with solving this, or validating your fixes. You may contact them at security@wpscan.com for any question about this report.
Keep in mind, their confirmation of a fix does not guarantee your plugin will pass a full security and standards review, so please follow due diligence and review your entire plugin.
Note: This report is unlikely to be a complete list of all security issues in your plugin. At this time, we have not performed a full review of your plugin, but we will do so when you indicate the plugin is fixed. If more issues are found then, you will be granted a 15 day extension to correct the plugin.
Remember! As long as you reply to this, and make progress on fixing it for your users, your plugin is not in danger of being closed.
Should you, for any reason, find you are unable to update the plugin, please let us know promptly so we can help decide on the action to take to best look after your users.
Addresses the following email:
A security issue has been reported in your plugin.
This email is to officially notify you of the issue(s). You are expected to address them promptly.
What to do next
YOUR PLUGIN HAS NOT YET BEEN CLOSED.
YOU HAVE 30 DAYS FROM THE SENDING OF THIS EMAIL TO RESOLVE ALL SECURITY RELATED ISSUES. SHOULD ANY BE FOUND AT THAT TIME, AND NO FORWARD PROGRESS MADE IN CORRECTING THEM, YOUR PLUGIN WILL BE CLOSED.
We have taken into consideration your standing in the community and the size of your user base and opted to not close the plugin at this time. However, we do so with the understanding that you will read this entire email and take appropriate action promptly.
Normally we feel it would be putting users at risk if we allowed them to download code that could be exploited and, once an exploit is reported, it is often acted upon by persons nefarious. In this instance we have decided not to do so. We feel the danger of FUD (fear, uncertainty, and doubt) as well as the potential for putting more users in danger by closing your plugin outweighs our normal concerns.
Your next steps are:
Review this entire email Verify the exploit Make all needed changes to your code Perform a FULL security check of your entire plugin Increase your plugin's stable version Disclose in your readme the fix (you are not required to include details) Update the code in SVN Reply to this email when you're done
Plugins that are trusted to handle security issues without closure, and who do not address those issues swiftly, will find their plugins closed later and this trust revoked.
The Report
We received an external report about a security issue in one of the WordPress plugins:
https://wordpress.org/plugins/better-font-awesome
We've been trying to contact the vendor for more than 5 business days, and still no answer.
The vulnerability reported is the plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin. and we consider it a high-risk level. We confirmed the issue in the current version, 2.0.3.
In order to replicate the attack, we recommend you follow the Proof-Of-Concept we're sharing:
Please add the below shortcode as a Contributor to the post, then, as an Admin, preview the page and hover the mouse:
[icon name='flag' class='4x border' title='" onmouseover="alert(1)']
The reporter has offered to assist you with solving this, or validating your fixes. You may contact them at security@wpscan.com for any question about this report.
Keep in mind, their confirmation of a fix does not guarantee your plugin will pass a full security and standards review, so please follow due diligence and review your entire plugin.
Note: This report is unlikely to be a complete list of all security issues in your plugin. At this time, we have not performed a full review of your plugin, but we will do so when you indicate the plugin is fixed. If more issues are found then, you will be granted a 15 day extension to correct the plugin.
Remember! As long as you reply to this, and make progress on fixing it for your users, your plugin is not in danger of being closed.
Should you, for any reason, find you are unable to update the plugin, please let us know promptly so we can help decide on the action to take to best look after your users.