Security issue | WordPress.org

Resolved hennasranta
(@hennasranta)

3 months, 2 weeks ago

Hello,

I have Wordfence plugin installed in my website and in the recent scan there was a critical issue with this plugin. Here is a link to this issue: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cartflows/woocommerce-checkout-funnel-builder-by-cartflows-create-high-converting-stores-for-woocommerce-207-authenticated-contributor-stored-cross-site-scripting

And here is the issue: “The WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Can you do something to remove this security vulnerability?

Thank you so much for help!

Viewing 1 replies (of 1 total)

Plugin Support Aamir
(@aamiribsf)

3 months ago
Hi @hennasranta ,

Thank you for bringing this to our attention and for sharing the details.

I’d like to reassure you that this security issue has already been patched on our end. The vulnerability you’re referring to affected older versions of the plugin and has been fully addressed in later releases.

Here is the screenshot of the part from the shared report
- https://bsf.d.pr/i/nOeq10
Please make sure you update CartFlows to the latest version (v2.1.19). Once updated, the reported vulnerability should no longer be flagged.

If you’re still seeing the warning after updating, feel free to let me know and I’ll be happy to look into it further.

Thanks again for your vigilance and for keeping your site secure.

Best regards,

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.

2 replies
2 participants
Last reply from: Aamir
Last activity: 3 months ago
Status: resolved