Security Problem?

Hi Brigitte,

Thanks for letting me know. I was not aware of this.

According to the link you provided, the issue is a cross-site scripting vulnerability that “makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

If I understand that correctly, it means that in order to take advantage of the vulnerability, the attacker would have to be someone with login credentials as a contributor or higher for the site. As long as you trust all the users for the site with contributor or higher access, it seems like it would be safe to continue using the plugin until I investigate further and (hopefully) release a patch.

If you have any doubts about the users of the site with such access, I recommend disabling and deleting the plugin until I have released a fix.

I will post back here with my progress.

@brisch, that sounds like you’ll be safe for now!

I’m about 75% of the way through a re-do of the PHP files to bring them up-to-date with WordPress best-practices. After that, I’ll check the JS files and do some testing/debugging before uploading an update. I’ll let you know when I’ve got the update uploaded.

Hi @brisch,

I just uploaded v. 1.4, which I believe addresses all the potential security issues reported by Wordfence and brings the code of Menu In Post up to current WordPress guidelines.

I made a lot of code changes, so although I tested it and debugged it, please let me know if I missed anything.

Thank you again for making me aware of the security vulnerabilities.