Conversation
supportI am getting reports of a cross-site scripting vulnerability in v5.4.14. Is there work in progress to correct this?
Hello, We have already been notified of this vulnerability (which isn’t really one) by the Patchstack platform researcher who discovered these pseudo-vulnerabilities. To provide some context, it’s important to understand that Patchstack pays researchers based on the number of vulnerabilities reported. This cross-site scripting vulnerability requires to already have elevated privileges on your site to be exploited. In such way it is anecdotal and cannot be exploited if administrative rights and WordPress roles are properly managed by the admin of the website in question. Anyway, next release will include an update for that. However, it’s very interesting to report these vulnerabilities since they affect 70% of WordPress and WooCommerce plugins. Unfortunately, this is a lucrative business for these whistleblowers who exploit this opportunity to generate easy revenue. We identified a single day where the researcher in question reported 70 vulnerabilities (always the same XSS vulnerability) in less than 24 hours. You get the idea… It’s a bit like antivirus or anti-malware programs that find false positives to fuel users’ fear of a viral infection, often prompting them to upgrade to the premium or paid version of the product for better security. Now, if you notice any real practical (not theoretical) exploitation of this vulnerability in our plugins, please let us know, and we’ll immediately send our development team to fix it. However, as it stands, we have not been provided with any evidence that this known vulnerability affects our products. Sincerely,
Hello, We have already been notified of this vulnerability (which isn’t really one) by the Patchstack platform researcher who discovered these pseudo-vulnerabilities. To provide some context, it’s important to understand that Patchstack pays researchers based on the number of vulnerabilities reported. This cross-site scripting vulnerability requires to already have elevated privileges on your site to be exploited. In such way it is anecdotal and cannot be exploited if administrative rights and WordPress roles are properly managed by the admin of the website in question. Anyway, next release will include an update for that. However, it’s very interesting to report these vulnerabilities since they affect 70% of WordPress and WooCommerce plugins. Unfortunately, this is a lucrative business for these whistleblowers who exploit this opportunity to generate easy revenue. We identified a single day where the researcher in question reported 70 vulnerabilities (always the same XSS vulnerability) in less than 24 hours. You get the idea… It’s a bit like antivirus or anti-malware programs that find false positives to fuel users’ fear of a viral infection, often prompting them to upgrade to the premium or paid version of the product for better security. Now, if you notice any real practical (not theoretical) exploitation of this vulnerability in our plugins, please let us know, and we’ll immediately send our development team to fix it. However, as it stands, we have not been provided with any evidence that this known vulnerability affects our products. Sincerely,