search

weDevsOfficial / wp-user-frontend

A WordPress plugin that brings many backend functionality to the site frontend
https://wordpress.org/plugins/wp-user-frontend/
225 stars 147 forks source link

window.Promise polyfill #1462

Closed siliconforks closed 1 day ago

siliconforks commented 1 week ago

I noticed that this plugin appears to load a script from cdn.polyfill.io if window.Promise is not defined:

https://github.com/weDevsOfficial/wp-user-frontend/blob/v4.0.7/includes/Admin/Forms/Admin_Form_Builder.php#L205-L211

The cdn.polyfill.io domain appears to be no longer trustworthy:

https://sansec.io/research/polyfill-supply-chain-attack

In practice this is probably not really a vulnerability since essentially every browser has built-in support for window.Promise these days (so the script will never be loaded). But I think it would be best to remove this.

anik-fahmid commented 1 week ago

Thank you for bringing it to our attention.

sflwa commented 1 week ago

As an FYI WordFence has flagged this plugin - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-frontend

Rubaiyat-E-Mohammad commented 1 day ago

Fixed