Skip to content

In reply to https://jan.boddez.net/notes/436f21f3a2. I log into ManageWP—a …

In reply to https://jan.boddez.net/notes/436f21f3a2.

I log into ManageWP—a dang handy tool by the way, although I only use it on a few select sites—for the first time in a long time, and bam, I get hit with the very same notice. Very same vulnerability database. (Clicking around a bit actually reveals that this particular CVE is all about a fairly ancient Windows app called FeedReader3, and that a certain mailing list at one point did mention, in a rather unrelated fashion, “WordPress,” so there’s that.)

Replies

  1. Jan Boddez on

    The issue, it seems, was that said “FeedReader3” would not, yep, strip script elements from feed entries. (Whereas this Feed Reader runs everything through wp_kses(). Well, except titles and stuff; those get run through sanitize_text_field(), which strips all HTML tags.)