CVE-2022-2628 The DSGVO plugin before 4.2 doesn't sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks.
all intented settings are now escaped and sanitised before being saved.
All in one for WP plugin version 4.2 and above
Plugin version 4.2 and above now escapes and sanitises all settings before they are saved.
Unfiltered_html setting is now escaped and sanitised before being saved.
Settings are now sanitised before they are saved, so they are safe to be sent via email, posted on a site or anywhere else.
Settings are no longer unescaped, which is a critical change. The old version of this plugin left all settings unescaped which made them vulnerable to Cross-Site Scripting attacks.
To get the previous version of this plugin, visit https://wordpress.org/plugins/dgvp-all-in-one/
New Features
The plugin now supports plugins that use regular expressions, so you can now easily change the behaviour of settings like 'unfiltered_html' or 'keywords'.
Plugin version 4.2 and above now escapes and sanitises all settings before they are saved.
Unfiltered_html setting is now escaped and sanitised before being saved.
What settings are now escaped?
Settings that were previously not escaped and could be exploited are now escaped.
The following settings are now escaped:
**Unfiltered_html setting**
**Edit Profile setting **
**Hover Title Setting **
**Hover Link Setting **
Why is filtered_html setting unescaped?
The unfiltered_html setting was unescaped because it was used to send data via email or post content to a website. This is no longer the case and only settings that are safe for sending via email are now escaped.
Timeline
Published on: 10/03/2022 14:15:00 UTC
Last modified on: 10/05/2022 13:05:00 UTC