GD bbPress Toolbox Pro 5.1.4 is a second minor update this week, this time with important security-related changes and fixes for potential stored XSS vulnerability in the attachments module and upload errors.

The plugin had potential stored XSS vulnerability related to the saving and displaying upload errors. On some UNIX based systems, the file name can contain < and > characters, so the file name can be used as HTML/JS payload. Upload of such file will fail, but, the logged error will contain the original file name, that was printed without escaping. This is very hard vulnerability to deliver, and it is very low on the threat scale, and it would be visible to administrators and uploaders only, but, it was important to fix it as soon as possible. So, upgrade to 5.1.4 now.

I would like to thank  Luigi Gubello for responsibly disclosing the vulnerability first discovered in our free GD bbPress Attachments plugin that shares some of the code with GD bbPress Toolbox Pro, who will follow-up with an official disclosure in two weeks.

As always, please, report any issues if you find them in the support forum.

Please wait...

About the author

MillaN
MillaN
Dev4Press owner and lead developer

Programmer since the age of 12 and now WordPress developer with more than 8 years of WordPress experience, author of more than 100 plugins and more than 20 themes.

Learn More

GD bbPress Toolbox Pro
Expand bbPress powered forums with attachments upload, BBCodes support, signatures, widgets, quotes, toolbar menu, activity tracking, enhanced widgets, extra views...
WP Rocket - Make WordPress Load Fast in a Few Clicks

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter

Subscribe to get all the latest news and promotions.

Subscribe We will not send you any spam. Newsletters are sent 2 to 4 times every month.