Update to oik v4.10.2 for a security fix to prevent JavaScript in URLs.
The security issue was responsibly disclosed by Wordfence. Vulnerability Researcher: Francesco Carlucci.
Vulnerability Title: oik <= 4.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2024-2256
CVSS Severity Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Organization: Wordfence
Vulnerability Researcher(s): Francesco Carlucci
Description
The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s bw_contact_button and bw_button shortcodes and in all versions up to, and including, 4.10.0, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Areas affected
The issue was reported against the following shortcodes [bw_contact_button] and [bw_button] when combined with the link attribute.
The fix also applies to the following shortcodes which were similarly vulnerable.
What you should do
Update to oik v4.10.2 as soon as possible.
Changes
| Change | Reference |
|---|---|
| Fixed: Escape the URL in links. | bobbingwide/oik#224 |
oik v4.10.2 also includes previously unreleased changes in oik v4.10.1.
| Change | Reference |
|---|---|
| Changed: Support PHP 8.3 | bobbingwide/oik#220 |
| Changed: Spam check subject for http | bobbingwide/oik#221 |
Tested
- Tested: With WordPress 6.4.3 and WordPress Multisite
- Tested: With PHP 8.3
- Tested: With PHPUnit 9.6
