WPIntell

Source evidence

Security issue in <=2.6.7

WP Date and Time Shortcode · support · 2025-03-31T20:29:00+00:00

WP Date and Time Shortcode plugin evidence original source source API
mixedsentiment
highseverity
0.88relevance
5replies
Evidence linked to opportunitycommercial context

Proof Health

Open evidence

Commercial opportunities need traceable source links before they are treated as build-worthy.

6 / 29 rows with source links

20.7% of this page's analysis has direct source links.

0 build-decision rows missing links

0 rows here require auditable proof before promotion.

23 rows with no attached evidence

0 rows have source counts but still need direct links.

Conversation

support
caordawebsol resolved
Hi, This just got reported by Patchstack: WP Date and Time Shortcode plugin <= 2.6.7 – Cross Site Scripting (XSS) vulnerability Will there be a fix issued soon? Thanks! Hello @caordawebsol , Thank you for writing. We still have no detailed information and we are trying to find out what exactly is the issue. Once we know more, we will fix it. Thank you for your patience and understanding. PS: Generally we do not process any data input from the webpages with our shortcodes in any way, so we don’t know how this vulnerability can be exploited if there is such. I’ve just had an email from WP Engine notifying me of this vulnerability. Patchstack are saying it’s a low severity, but it would be good to get a fix for peace of mind. Hello, A new version of the plugin 2.6.8 was released. You may update. There was a possible “vulnerability” when a registered contributor creates post or page content using a [wpdts] shortcode in it and purposely places a malicious JavaScript code in the post_id attribute. Then if the submitted content is overlooked and published by the administrator or the editor, the inserted JavaScript may run causing an XSS or other issue. There is no security risk for general blogs or websites managed by their owners where no contributors are publishing or where the administrators and editors watch the content carefully before publishing it. Brilliant, thank you for a very quick response 😊 I am closing this support thread as resolved. Good luck!

Comments

5 shown
Ivaylo Tinchev 2025-04-01T05:17:00+00:00

Hello @caordawebsol , Thank you for writing. We still have no detailed information and we are trying to find out what exactly is the issue. Once we know more, we will fix it. Thank you for your patience and understanding. PS: Generally we do not process any data input from the webpages with our shortcodes in any way, so we don’t know how this vulnerability can be exploited if there is such.

Simon Blackbourn 2025-04-01T07:24:00+00:00

I’ve just had an email from WP Engine notifying me of this vulnerability. Patchstack are saying it’s a low severity, but it would be good to get a fix for peace of mind.

Ivaylo Tinchev 2025-04-01T16:47:00+00:00

Hello, A new version of the plugin 2.6.8 was released. You may update. There was a possible “vulnerability” when a registered contributor creates post or page content using a [wpdts] shortcode in it and purposely places a malicious JavaScript code in the post_id attribute. Then if the submitted content is overlooked and published by the administrator or the editor, the inserted JavaScript may run causing an XSS or other issue. There is no security risk for general blogs or websites managed by their owners where no contributors are publishing or where the administrators and editors watch the content carefully before publishing it.

Simon Blackbourn 2025-04-02T11:19:00+00:00

Brilliant, thank you for a very quick response 😊

Ivaylo Tinchev 2025-04-02T11:25:00+00:00

I am closing this support thread as resolved. Good luck!