Tagged: , ,

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • August 30, 2024 at 8:46 pm #1465838
    Steve

    My hosts routine scan has highlighted Enfold <= 6.0.3 is vulnerable to Stored Cross-Site Scripting.

    Is this already known about? If so, any idea on an update/fix? The JetPack ‘fix’ seems to remove Enfold and activate the default theme so probably not the best fix.

    Enfold <= 6.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters

    Description
    The Enfold – Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and ‘class’ parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    https://wpscan.com/vulnerability/92c563a1-acef-4191-b8ea-f6746ef0ee76/
    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/enfold/enfold-603-authenticated-contributor-stored-cross-site-scripting-via-wrapper-class-and-class-parameters

    August 30, 2024 at 9:48 pm #1465840
    caorda

    Same issue here – hundreds of sites :-(

    August 31, 2024 at 12:35 am #1465850
    byrddesigns
    This reply has been marked as private.
    August 31, 2024 at 11:08 am #1465864
    Netzie

    My SolidWP Security pack… reports: Enfold 6.0.3 is vulnerable to Stored Cross-Site Scripting.

    August 31, 2024 at 1:06 pm #1465881
    Rikard

    Hi,

    We are aware of this and we’re working on a solution. Please note that this is a low severity problem.

    Best regards,
    Rikard

    September 3, 2024 at 4:02 pm #1466140
    Yigit

    Hi,

    Just to let you folks know, our developers addressed this issue and we will release Enfold 6.0.4 very soon.

    Best regards,
    Yigit

    September 3, 2024 at 4:04 pm #1466141
    Steve

    Thanks Yigit, I spotted it in the upcoming release list, good work 👍

    September 3, 2024 at 4:14 pm #1466144
    Netzie

    You guys rock!!!

    September 11, 2024 at 2:27 pm #1466716
    Netzie

    hup!
    Ehhh – After this “update” … I get a strange error:
    I often and random (like every 3-5 minutes) get a blank page with only a “-1” in the left corner? (See pic)
    https://drive.google.com/file/d/1-DSrXBBqu8DtEAIcMVky8szWhtUEMgpC/view?usp=drivesdk
    It happens in my browser (latest Chrome) when I work on my pages as an admin!

    I have deleted all data in my browser to no result?
    I tried to locate the error by disable all plugins (except Woocommerce and payment/shipping plugins), no effect.
    I can press F5 and refresh page and it loads… But when I have spend 27 min. to edit text on a page… I sometimes lose all that work :-/ .-(

    Please advise!

    Peter

    • This reply was modified 2 months, 1 week ago by Netzie.
    • This reply was modified 2 months, 1 week ago by Netzie.
    September 12, 2024 at 11:12 am #1466798
    Rikard

    Hi Peter,

    We haven’t seen that on our test installations, and no other users have reported the same problem either. What you are describing can happen if you are being logged out of WordPress though.

    Best regards,
    Rikard

    September 12, 2024 at 11:29 am #1466805
    Netzie

    Hi Rikard,
    Thx – I will look elsewhere…

  • Author
    Posts
Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.