vulnerabilty found according to patchstack

Resolved suikerspin
(@suikerspin)

11 months, 3 weeks ago

Hello,

According to patchstack the current version of the plugin (and lower versions) is vulnerable.

See https://patchstack.com/database/wordpress/plugin/interactive-geo-maps/vulnerability/wordpress-interactive-geo-maps-plugin-1-6-24-reflected-cross-site-scripting-xss-vulnerability?_a_id=110

Are you planning a fix?

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Author MapGeo
(@interactivegeomaps)

11 months, 2 weeks ago

Greetings, when there’s a security vulnerability found, usually these companies send the plugin authors at least a month before it’s made public, instructions on where the issue is and suggestions on how to fix it, so that when the issue is made public, there’s already a fixed version. We are currently awaiting additional instructions from patchstack with more information. We apologize for the delay however we are waiting also for feedback which may take a week to validate.

Plugin Author MapGeo
(@interactivegeomaps)

11 months, 2 weeks ago

I can confirm this from our local env . One of the vulnerability was via post_type=igmap&page=interactive-geo-maps-pricing which was fixed by freemius-sdk v2.11.0 and we patched in v1.6.23. The other one was in any tab, where user could inject encoded JavaScript snippets or images with links and trick users to click. We have fixed this in v1.6.25 by sanitizing url params before using them

Exo
(@richardshea)

11 months, 2 weeks ago

Thanks for the updates, look forward to seeing a new version we can download soon to fix.
Rich Ambrose
(@rich-ambrose)

11 months, 2 weeks ago
WordFence has also flagged a security vulnerability.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/interactive-geo-maps/interactive-geo-maps-1624-reflected-cross-site-scripting

I have some sites with the Pro version and some with the free. The free version can only be updated to 1.6.18, although I can uninstall and then download 1.6.24, this does not include the security update. Will there be a rollout for the free version?
- This reply was modified 11 months, 2 weeks ago by Rich Ambrose.
- This reply was modified 11 months, 2 weeks ago by Rich Ambrose. Reason: Improved the question
- This reply was modified 11 months, 2 weeks ago by Yui.
kalvinkingsleymint
(@kalvinkingsleymint)

11 months, 1 week ago

Hello, just following up on this – it is marked as RESOLVED but doesn’t appear to be? At least, I don’t see a patched version available for download anywhere?

Plugin Author MapGeo
(@interactivegeomaps)

11 months, 1 week ago

Hello Everyone, we rolled out a new patched version just yesterday

lohanelbt
(@lohanelbt)

11 months, 1 week ago

Hello, when will the version be online? On my end, I don’t have anything at all. Thanks.

Exo
(@richardshea)

11 months, 1 week ago

New version does not seem online despite this showing as resolved and statements of “we rolled out a new patched version” which is now 2 days ago.
Can we ask if developers if this can be fetched manually elsewhere (your own site?) if it’s not here?

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘vulnerabilty found according to patchstack’ is closed to new replies.