Impact
Persistent XSS can be stored in the IP Address for a file download log entry. This XSS is then executed when viewing the file download logs in the WordPress admin.
Patches
We've released patches to fix this in:
2.9.16
2.8.19
2.7.13
Workarounds
There is not a way to workaround this fix for future data, however anyone wishing to manually scrub the wp_postmeta table by searching for meta keys matching _edd_log_ip that do not have a valid IP address for the meta_value column.
For more information
If you have any questions or comments about this advisory:
Impact
Persistent XSS can be stored in the IP Address for a file download log entry. This XSS is then executed when viewing the file download logs in the WordPress admin.
Patches
We've released patches to fix this in:
2.9.16
2.8.19
2.7.13
Workarounds
There is not a way to workaround this fix for future data, however anyone wishing to manually scrub the
wp_postmetatable by searching for meta keys matching_edd_log_ipthat do not have a valid IP address for themeta_valuecolumn.For more information
If you have any questions or comments about this advisory: