Security issue

Hi everyone,

I’m not sure why this XSS vulnerability was published. Back in January, Darius from Patchstack contacted me with XSS details, and I tried to reproduce it locally. I found that there is no issue with our plugin and informed Darius about this. I never received any reply or additional information from Darius or anyone else regarding the XSS issue.

This was my reply:

I may be missing something, but your example appears invalid.

In your video, you’re breaking the block output, and our block code doesn’t execute at all. Instead, you’re displaying custom HTML. This approach allows outputting any content using any block name.

From 2:24 in your video, the output is no longer from our block – it’s just a simple string:

— There was a screenshot from the video, but I’m not sure it makes sense right now. —

I can replicate this behavior in the editor with various tags, but this doesn’t indicate a vulnerability in our block. You can see an example of how our block should function and how your “injection” disrupts it here: https://shot.nkdev.info/94YjltmsRdp11RrsMP7Z. This example also demonstrates how renaming the block produces the same output.

If I’m wrong, please show me where.

I’ve contacted Darius again and am waiting for his reply. Perhaps someone else can help resolve this issue. I’m still unsure whether this report is valid since I cannot reproduce it. If it is valid, we will definitely fix it.

Regards,
Nikita.

@dportela WPScan ignores our emails, so we’re not sure how to fix this since the issue was never on our side.