Blog Post

GD bbPress Attachments 2.6

A new version of  GD bbPress Attachments is here several updates and fixes, including the fix for the potential stored XSS vulnerability related to saving and display of upload errors.

The plugin requirements are updated, and now minimum supported PHP version is 5.5, WordPress 4.4 and bbPress 2.5. Few translation strings were missing.

As for the security vulnerability, plugin had potential stored XSS vulnerability related to the saving and displaying upload errors. On some UNIX based systems, the file name can contain < and > characters, so the file name can be used as HTML/JS payload. Upload of such file will fail, but, the logged error will contain the original file name, that was printed without escaping. This is very hard vulnerability to deliver, and it would be visible to administrators and uploaders only, but, it was important to fix it as soon as possible. So, upgrade to 2.6 now.

I would like to thank  Luigi Gubello for responsibly disclosing the vulnerability, who will follow-up with an official disclosure in two weeks.

As always, if you notice any problems, please report them in the comments or in the forum.

Please wait...
GD bbPress Attachments
Attachments for forums powered by bbPress

Attachments upload to the topics and replies in bbPress plugin using media library. Control file size and number of files, integration elements and more.

About the author

Milan Petrovic
Milan Petrovic

Programmer since the age of 12 and WordPress developer since 2008 as freelancer and author of more than 200 plugins and more than 20 themes.

The Newsletter

Leave a Comment

Grammarly - Number 1 Writing App
WP Rocket - Make WordPress Load Fast in a Few Clicks