I, too, would like to know. Wordfence is flagging is as critical.
For info:
WP Subtitle <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
Vulnerability Severity: 6.4/10.0 (Medium)
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-subtitle/wp-subtitle-341-authenticated-contributor-stored-cross-site-scripting
Following this thread as well, would like to know if a fix is coming.
WP Subtitle <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
I think the line in question is in includes/subtitle.php, line 126:
return update_metadata( 'post', $this->post_id, $this->get_post_meta_key(), $subtitle );
That puts the raw subtitle into the DB which could contain Javascript code… and if not escaped when output … you get Stored Cross-Site Scripting…
Adding a sanitize_text_field should address the issue as it strips all tags:
return update_metadata( 'post', $this->post_id, $this->get_post_meta_key(), sanitize_text_field( $subtitle ) );
Is that the first time it saves? Make sure you get all instances of it inserting and updating. Thanks!
I think this has now been fixed in version 3.4.2
