vulnerable

Resolved I Declare MultiMedia
(@m4declare1)

3 years ago

WordPress Drag and Drop Multiple File Upload – Contact Form 7 Plugin <= 2.11.0 is vulnerable to Cross Site Scripting (XSS)

The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Glen Don Mongaya
(@glenwpcoder)

3 years ago
Hi @m4declare1 ,

The vulnerability issue has been fixed both in Free and Pro version.

As you can see it here – https://wpscan.com/plugin/drag-n-drop-upload-cf7-pro

Patched Link – https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-contact-form-7/wordpress-drag-and-drop-multiple-file-upload-pro-contact-form-7-standard-plugin-2-11-0-reflected-cross-site-scripting-vulnerability?_a_id=110

Please let me know.
- This reply was modified 3 years ago by James Huff.
- This reply was modified 3 years ago by Glen Don Mongaya.
- This reply was modified 3 years ago by Yui.
Plugin Author Glen Don Mongaya
(@glenwpcoder)

3 years ago

Please update to version 2.11.1.

You can manually update the plugin by going to Dashboard -> Updates click “Check again” button multiple times until the new updates/version will show up.

jayahn4
(@jayahn4)

3 years ago

@glenwpcoder

Hi Glen,

I’m having the same issue. ManageWP is flagging the plugin as vulnerable below version 2.11.0, but the latest version for this plugin is 1.3.6.7, which I have already updated to. Also downloaded manually from here and uploaded, but still vulnerable.

Plugin Author Glen Don Mongaya
(@glenwpcoder)

3 years ago

Hello @m4declare1 ,

If you are updated to version 1.3.6.7 you are safe and ignore the message.

The issue is related to pro version < 2.11.0 I’m not sure if their database is updated, it’s on their end maybe they will need to double check or update the status of the issue.

They will probably notify all the customers (in general) whether using pro or free version as some of them using Our pro version.

Thank You.

jayahn4
(@jayahn4)

3 years ago

Great news @glenwpcoder

ManageWP seems to have fixed this and now the plugin isn’t flagged as vulnerable anymore. Thank you!

Plugin Author Glen Don Mongaya
(@glenwpcoder)

3 years ago

Thanks for letting me know @jayahn4

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘vulnerable’ is closed to new replies.