search

wpeventmanager / wp-user-profile-avatar

WordPress currently only allows you to use custom avatars that are uploaded through Gravatar. WP User Profile Avatar allow you to change default WordPress avatar or User profile picture. You can use any photos uploaded into your Media Library or use custom photo url as an avatar instead of using Gravatar.
https://wp-eventmanager.com
GNU General Public License v3.0
2 stars 3 forks source link

Security issue : #113

Closed krinaydhanani closed 6 months ago

krinaydhanani commented 7 months ago

Your plugin has had to be temporarily withdrawn from the WordPress.org Plugin Directory due to a security bug.

https://wordpress.org/plugins/wp-user-profile-avatar/

For the next 60 days, your plugin will simply say that it is no longer available for download. After that time, it will state that it was closed for a security issue.

What to Do Next

We understand this can be a shocking and painful email to receive. We do not close plugins lightly, and when it comes to security issues we attempt to balance the volume of users and the history of the developers with the severity and potential for damage of the report. We believe that leaving plugins open would put users at risk if we allowed them to download code that could be exploited, and once an exploit is reported, it is often acted upon by persons nefarious.

To help restore your plugin as quickly as possible, you are required to do the following:

Review the report (listed below) and make corrections to prevent it from being exploitable Perform a full security and standards review on your own code Increase the plugin version Ensure the 'tested up to' version in your readme is the latest release of WordPress Update the code in SVN Reply to this email and request a re-review

If you believe the report is not valid, and that your plugin is secure, please reply to this email to let us know. If the vulnerability is XSS or CSRF related, know that Chrome actually prevents those from working in their browser and you may need to check in Firefox or another browser.

Should you, for any reason, find you are unable to update the plugin, please let us know promptly so we can decide on the best course of action to take in order to protect the users. It's okay if you just can't fix this or don't want to.

Plugins are closed immediately and the developer contacted when this happens, in part because we have an imperfect system of notifications. This means until your plugin is corrected to meet our guidelines, we will not reopen it.

Please review our documentation on how to use SVN - https://developer.wordpress.org/plugins/wordpress-org/how-to-use-subversion/#best-practices - as improper SVN usage can delay our reviews.

When we re-review your code we will look at not just the changes, but the entire plugin, so there may be a delay. Rest assured, we prioritize reviews of security related issues above all else.

If you haven’t done so already, we strongly recommend setting up Plugin Check and running this before re-submission as ANY security and/or guideline violations it flags is required to be fixed before your plugin can be relisted. We recommend using this system in day-to-day development as it is capable of automatically catching a wide variety of the security and guideline violations we see on re-review.

Vulnerability Report

The vulnerability reported is Contributor+ Stored XSS. We confirmed the issue in the current version, 1.0.2

PoC:

Unfortunately, it looks like there still issues in the wp-author-box-display.php section.

If the [authorbox_social_info] shortcode is used on a page, some information on the user profile can be updated with an XSS payload: User bio/description: I am cool User Facebook URL: http://facebook.com/" onmouseover=alert(/xssfb/) " It is not just the facebook URL, all of the URLs in the template appear to be vulnerable. This is because of function calls like this: esc_url(the_author_meta('facebook')) The function the_author_meta directly outputs the value, rather than returning it. This means that it is never run through esc_attr. Instead, the code should look like: echo esc_url(get_the_author_meta('facebook')) This will ensure that the output is escaped properly. This change needs to be made for almost all of the data being output in this file.

This is not a full review of your plugin.

Once you've replied, we will re-scan your entire plugin, looking for both security issues and guideline violations. Should we find other issues on a re-review, you will be required to fix those before we reopen your plugin.

We require this because if we found another security issue down the road, we would have to close your plugin again. We feel it's better for your reputation to have a plugin closed once and fixed rather than multiple times. In addition, there are some less than ethical companies who will absolutely 0-day your plugin if we reopen it while you're still working on security issues.

If you have any questions, please let us know.

-- WordPress Plugin Review Team | plugins@wordpress.org https://make.wordpress.org/plugins/ https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

mistry-jignesh commented 7 months ago

When I have Updated or changed the User name then 404 message is displayed on the page.

image

mistry-jignesh commented 7 months ago

I have verified UPA plugin after improved security code. Now this issue is fixed. It is working fine . So I closed the issue.

mistry-jignesh commented 7 months ago

Issue details are in the Attached file.

Gmail - Re_ Request for WP User Profile Avatar Plugin Activation on WordPress.org.pdf

mistry-jignesh commented 6 months ago

I have verified UPA plugin after improved security code. Now this issue is fixed. It is working fine . So I closed the issue