hi,
2.5.6 has already been submitted to the plugins team for review and we’re awaiting their approval to reopen the plugin so everyone can update as normal.
When you manage the WordPress plugins using composer (12-factor-app/roots.io-Bedrock-setup):
"repositories": {
"svg-support-repository": {
"type": "package",
"package": {
"name": "benbodhi/svg-support",
"version": "2.5.6",
"source": {
"url": "https://plugins.svn.wordpress.org/svg-support/",
"type": "svn",
"reference": "tags/2.5.6"
}
}
}
},
"require": {
"benbodhi/svg-support": "2.5.6",
},
Addendum (type: wordpress-plugin):
"svg-support-repository": {
"type": "package",
"package": {
"name": "benbodhi/svg-support",
"type": "wordpress-plugin",
"version": "2.5.6",
"source": {
"url": "https://plugins.svn.wordpress.org/svg-support/",
"type": "svn",
"reference": "tags/2.5.6"
}
}
}
working to address this asap
to be clear, if you don’t have accounts with author or higher that you don’t trust, it won’t affect you unless someone gets those higher permissions.
According to Wordfence, even version 2.5.7 contains a vulnerability. Dozens of sites are sending me warnings about this. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/svg-support/svg-support-255-authenticated-author-cross-site-scripting-via-svg – Please fix this promptly. Otherwise, we will have to replace the plugin on all the sites we manage.
I’ve got another update in the works that hopefully addresses their warnings.
version 2.5.8 should address this.
Thread Starter
Julian
(@terribletankard)
Thanks for the updates @benbodhi
