Open wschaapman opened 3 months ago
Hi @wschaapman, thanks for reporting this. I was informed about the issue, but I haven't had time to update the plugin yet. I'll push an update as soon as possible and release a new version to address the security vulnerability.
That being said, it applies to authenticated attackers, with contributor-level access and above, so at that stage the WordPress installation would already had been very compromised.
Fixed in 0.5.
New version gives fatal error when activiate.
@wschaapman I've tested the plugin on my blog and I tried activating/deactivating, removing and re-adding the plugin and haven't been able to reproduce the fatal error. Can you copy and share the error you get please? Also what version of WordPress you're using.
Thanks!
When i download the plugin and do a install. There is created a new plugin ( the old one is also active) and the sites gives fatal error when activated, no more messages. Why I don t get a normal update message?
It could be because of a clash between the two versions of the plugins. Does the message still appear if you deactivate the old version and then install and activate the new one?
Then it is oke. But not the normal way to update a plugin?
Yes, while the plugin is being reviewed by WordPress to re-enable it, the normal update won't work. Hopefully it'll be re-enabled soon and you'll be able to update from the Admin Dashboard like usual.
List categories <= 0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Source Wordfence https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/list-categories/list-categories-04-authenticated-contributor-stored-cross-site-scripting-via-shortcode
Please check