Blog Post

GD bbPress Toolbox Pro 5.1.4

GD bbPress Toolbox Pro 5.1.4 is a second minor update this week, this time with important security-related changes and fixes for potential stored XSS vulnerability in the attachments module and upload errors.

The plugin had potential stored XSS vulnerability related to the saving and displaying upload errors. On some UNIX based systems, the file name can contain < and > characters, so the file name can be used as HTML/JS payload. Upload of such file will fail, but, the logged error will contain the original file name, that was printed without escaping. This is very hard vulnerability to deliver, and it is very low on the threat scale, and it would be visible to administrators and uploaders only, but, it was important to fix it as soon as possible. So, upgrade to 5.1.4 now.

I would like to thank  Luigi Gubello for responsibly disclosing the vulnerability first discovered in our free GD bbPress Attachments plugin that shares some of the code with GD bbPress Toolbox Pro, who will follow-up with an official disclosure in two weeks.

As always, please, report any issues if you find them in the support forum.

Please wait...
GD bbPress Toolbox Pro plugin for WordPress and bbPress Forums
Enhancing WordPress forums powered by bbPress

Expand bbPress powered forums with attachments upload, BBCodes support, signatures, widgets, quotes, toolbar menu, activity tracking, enhanced widgets, extra views...

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.


This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

license management

License Code Validation and Management

Dev4Press License validation system updates will soon be deployed, including license code management via the Dev4Press Account Dashboard. All updates will be deployed on April 14, 2024.
panel options

In Development: SweepPress Pro 5.0 and Lite 3.0

In about two weeks, brand new, significant updates to SweepPress Pro and Lite plugins will be released, bringing several game-changing features to WordPress cleanup and maintenance tools already included.

GD Press Tools Pro 6.3

The new major release for GD Press Tools Pro, version 6.2 is here, and it brings some major changes. First of all, the plugin has two addons less, one addon is added and one more addon has been deprecated (but still included for now).

Leave a Comment

WP Rocket - Make WordPress Load Fast in a Few Clicks
SiteGround - Managed WordPress Hosting
0
0
0
0
0
0