Closure Notice - Security: Skautappka connection #8
Assignees
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Your plugin has had to be temporarily withdrawn from the WordPress.org Plugin Directory due to an exploit.
https://wordpress.org/plugins/skautappka-connection/
For the next 60 days, your plugin will simply say that it is no longer available for download. After that time, it will state that it was closed for a security issue.
What to Do Next
We understand this can be a shocking and painful email to receive. We do not close plugins lightly, and when it comes to security issues we attempt to balance the volume of users and the history of the developers with the severity and potential for damage of the report. We believe that leaving plugins open would put users at risk if we allowed them to download code that could be exploited, and once an exploit is reported, it is often acted upon by persons nefarious.
To help restore your plugin as quickly as possible, you are required to do the following:
Review the report (listed below) and make corrections to prevent it from being exploitable
Perform a full security and standards review on your own code
Increase the plugin version
Ensure the 'tested up to' version in your readme is the latest release of WordPress
Update the code in SVN
Reply to this email and request a re-review
If you believe the report is not valid, and that your plugin is secure, please reply to this email to let us know. If the vulnerability is XSS or CSRF related, know that Chrome actually prevents those from working in their browser and you may need to check in Firefox or another browser.
Should you, for any reason, find you are unable to update the plugin, please let us know promptly so we can decide on the best course of action to take in order to protect the users. It's okay if you just can't fix this or don't want to.
Plugins are closed immediately and the developer contacted when this happens, in part because we have an imperfect system of notifications. This means until your plugin is corrected to meet our guidelines, we will not reopen it.
Please review our documentation on how to use SVN - https://developer.wordpress.org/plugins/wordpress-org/how-to-use-subversion/#best-practices - as improper SVN usage can delay our reviews.
When we re-review your code we will look at not just the changes, but the entire plugin, so there may be a delay. Rest assured, we prioritize reviews of security related issues above all else.
Vulnerability Report
You incorrectly use an esc_ function to sanitize. You must use sanitize functions when sanitizing.:
skautappka-connection/SkautAppkaWidget.php:453: $outputHtml .= '
'.esc_html($messages[$_GET['message']]).'
';You do not escape when you echo:
skautappka-connection/SkautAppkaWidget.php:202: echo $outputHTML;
skautappka-connection/SkautAppkaWidget.php:297: echo $outputHtml;
skautappka-connection/SkautAppkaWidget.php:504: echo $outputHtml;
This is not a full review of your plugin. Should we find other security issues on a re-review, you will be required to fix those before we reopen your plugin. This is because if we found another security issue down the road, we would have to close your plugin again. We feel it's better for your reputation to have a plugin closed once and fixed rather than multiple times.
If you have any questions, please let us know.
The text was updated successfully, but these errors were encountered: