search

axelerant / testimonials-widget

Easily add social proofing to your website with Testimonials Widget. List or slide reviews via functions, shortcodes, or widgets.
http://wordpress.org/plugins/testimonials-widget/
GNU General Public License v2.0
10 stars 7 forks source link

Threat found: Testimonials Widget (version 3.5.1) has a known vulnerability #207

Open VanguardHQ opened 4 years ago

VanguardHQ commented 4 years ago

Hi - apologies if this is not the right place to ask, please can you help?

We have the Testimonials Widget (version 3.5.1) installed on our website. WordPress has identified that it has a vulnerability and I see a 'Threat found' message about the plugin.

Do you plan to release an update?

What can I do to remove this message so that there is no threat?

Many thanks, Sarah

saurabhsirdixit commented 4 years ago

Hi @VanguardHQ , thank you for letting me know about this request. I will release next version of the plugin by this weekend. I will keep you updated here. Thanks

VanguardHQ commented 4 years ago

Many thanks @saurabhsirdixit. Thank you for your speedy response, much appreciated, Sarah

subharanjanm commented 4 years ago

@saurabhsirdixit May be replacing the lines update_metadata( $type, $post_id, $property, $new ); with update_metadata( $type, $post_id, $property, sanitize_text_field( $new ) ); will fix the xss vulnerabilities since we are only using text type fields for these:

Moreover, this library(Redrokk Metabox Class) is not in active development state. So, shouldn't be a problem directly modifying in it. https://github.com/axelerant/testimonials-widget/blob/fd40ea02a5f92ce00c60c6c189024276d7f55642/includes/libraries/aihrus-framework/includes/libraries/class-redrokk-metabox-class.php#L418

It's time to switch to a new metabox library !!

VanguardHQ commented 4 years ago

Hello,

Many thanks for releasing the update. I’ve installed version 4.0.1 of the Testimonials Widget, rescanned our site, but am still getting the same message (see screen shot). We still have a ’threat found’ message, please can you help?

Kind regards Sarah

Sarah Stivala Vanguard Consulting Ltd

Mobile: +44 7710 800 662 Office: +44 1280 822255

email: sarah@vanguardconsult.co.ukmailto:sarah@vanguardconsult.co.uk www.vanguard-method.comhttp://www.vanguard-method.com

[cid:E730282F-8B70-4EF7-9C44-F367C1FAA56E@home]

On 7 Jul 2020, at 15:35, Saurabh Dixit notifications@github.com<mailto:notifications@github.com> wrote:

Hi @VanguardHQhttps://github.com/VanguardHQ , thank you for letting me know about this request. I will release next version of the plugin by this weekend. I will keep you updated here. Thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/axelerant/testimonials-widget/issues/207#issuecomment-654907462, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQGRECZNDST6OIUOBQH4MNDR2MXDVANCNFSM4OS4CM6Q.