Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #1465838

    My hosts routine scan has highlighted Enfold <= 6.0.3 is vulnerable to Stored Cross-Site Scripting.

    Is this already known about? If so, any idea on an update/fix? The JetPack ‘fix’ seems to remove Enfold and activate the default theme so probably not the best fix.

    Enfold <= 6.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters

    Description
    The Enfold – Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and ‘class’ parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    https://wpscan.com/vulnerability/92c563a1-acef-4191-b8ea-f6746ef0ee76/
    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/enfold/enfold-603-authenticated-contributor-stored-cross-site-scripting-via-wrapper-class-and-class-parameters

    #1465840

    Same issue here – hundreds of sites :-(

    #1465850
    This reply has been marked as private.
    #1465864

    My SolidWP Security pack… reports: Enfold 6.0.3 is vulnerable to Stored Cross-Site Scripting.

    #1465881

    Hi,

    We are aware of this and we’re working on a solution. Please note that this is a low severity problem.

    Best regards,
    Rikard

    #1466140

    Hi,

    Just to let you folks know, our developers addressed this issue and we will release Enfold 6.0.4 very soon.

    Best regards,
    Yigit

    #1466141

    Thanks Yigit, I spotted it in the upcoming release list, good work 👍

    #1466144

    You guys rock!!!

    #1466716

    hup!
    Ehhh – After this “update” … I get a strange error:
    I often and random (like every 3-5 minutes) get a blank page with only a “-1” in the left corner? (See pic)
    https://drive.google.com/file/d/1-DSrXBBqu8DtEAIcMVky8szWhtUEMgpC/view?usp=drivesdk
    It happens in my browser (latest Chrome) when I work on my pages as an admin!

    I have deleted all data in my browser to no result?
    I tried to locate the error by disable all plugins (except Woocommerce and payment/shipping plugins), no effect.
    I can press F5 and refresh page and it loads… But when I have spend 27 min. to edit text on a page… I sometimes lose all that work :-/ .-(

    Please advise!

    Peter

    • This reply was modified 3 months, 1 week ago by Netzie.
    • This reply was modified 3 months, 1 week ago by Netzie.
    #1466798

    Hi Peter,

    We haven’t seen that on our test installations, and no other users have reported the same problem either. What you are describing can happen if you are being logged out of WordPress though.

    Best regards,
    Rikard

    #1466805

    Hi Rikard,
    Thx – I will look elsewhere…

Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.