I came here looking for similar information since now iThemes Security is highlighting two vulnerabilities…. Contributor+ Stored XSS vulnerability and Local File Inclusion. Very odd and such a shame since the plugin has so many users and has been updated somewhat recently.
File: classes/YARPP_Shortcode.php
Line: 40
⚠️ Attributes should be escaped
$atts = array_map(function( $item ) {
$trimmed_value = trim(esc_attr($item)); // ⚠️ Attributes should be escaped
// check for the strings "true" and "false" to mean boolean true and false
if ( is_string($trimmed_value) ) {
$lower_trimmed_value = strtolower($trimmed_value);
if ( $lower_trimmed_value === 'true' ) {
$trimmed_value = true;
} elseif ( $lower_trimmed_value === 'false' ) {
$trimmed_value = false;
}
}
Wordfence alerted me to this issue (https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yet-another-related-posts-plugin/yarpp-5302-authenticated-contributor-local-file-inclusion). I’ve uninstalled the plugin.
I hope the authors will post here when the plugin is patched to let us know when it is safe to reinstall it!
Blogvault is also giving the security error
Same – but WordFence.
Hopefully, there will be a rapid response and we can enable it again.
Plugin Author
YARPP
(@jeffparker)
Plugin Author
YARPP
(@jeffparker)
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yet-another-related-posts-plugin/yarpp-5302-authenticated-contributor-local-file-inclusion has been patched in v5.30.5. Please upgrade to the latest version.
The issue was limited to Windows servers and the user would have to have writing permission. If your server is Linux (most are), you were not affected at all. In any case, it is patched now.
There are no open security issues.
