The main issue appears to be that text/settings that the user can enter on the backend admin page is not being sanitized/escaped the way WordPress would like it to be on the frontend. It is theoretically possible for someone to hack a website, insert a malicious script in one of those fields, and have that script run on the frontend.
The company I work for uses this plugin on multiple websites and would like to continue using it. We were wondering if you still maintain it and if so would you mind patching this vulnerability? If you are not maintaining it or would prefer to pass that responsibility on to someone else we would be willing to adopt the WP plugin.
2aragorn
commented
1 year ago
The plugin on WordPress is closed due to a security issue. (https://wordpress.org/plugins/mobile-call-now-map-buttons/)
WordFence has a security report on it here: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/mobile-call-now-map-buttons/mobile-call-now-map-buttons-150-authenticated-administrator-stored-cross-site-scripting
The main issue appears to be that text/settings that the user can enter on the backend admin page is not being sanitized/escaped the way WordPress would like it to be on the frontend. It is theoretically possible for someone to hack a website, insert a malicious script in one of those fields, and have that script run on the frontend.
The company I work for uses this plugin on multiple websites and would like to continue using it. We were wondering if you still maintain it and if so would you mind patching this vulnerability? If you are not maintaining it or would prefer to pass that responsibility on to someone else we would be willing to adopt the WP plugin.
Our company website is https://www.inboundhorizons.com/ and we currently have 2 plugins publicly released on WordPress with more on the way. https://wordpress.org/plugins/search/Inbound+Horizons/.
Thank you.
Cliff