[wp-trac] [WordPress Trac] #48277: Update plupload library to the latest version

WordPress Trac noreply at wordpress.org
Fri Mar 27 10:04:05 UTC 2020 

#48277: Update plupload library to the latest version
-----------------------------+-------------------------
 Reporter:  Hareesh Pillai   |       Owner:  desrosj
     Type:  defect (bug)     |      Status:  reopened
 Priority:  normal           |   Milestone:  5.4
Component:  General          |     Version:
 Severity:  critical         |  Resolution:
 Keywords:  has-patch early  |     Focuses:  javascript
-----------------------------+-------------------------
Changes (by tlterry):

 * status:  closed => reopened
 * resolution:  fixed =>
 * component:  External Libraries => General
 * severity:  normal => critical
 * type:  enhancement => defect (bug)


Comment:

 Hi WP support,
 I having the issue as stated as below, any idea to fix this at your end?

 **plupload 2.3.1 -- Found licenses in the 'Banned' license threat group
 ('AGPL-3.0')**

 **Policy/Action** : License-Banned
 **Constraint Name** : License not approved in any situation
 **Conditions** : Found licenses in the 'Banned' license threat group
 ('AGPL-3.0')


 **OCCURRENCES**
 plupload.js located at sst-imdx-dev.zip/sst-imdx-dev/wp-
 includes/js/plupload
 plupload.min.js located at sst-imdx-dev.zip/sst-imdx-dev/wp-
 includes/js/plupload
 VULNERABILITIES
 The plupload package is vulnerable to DOM Based Cross-Site Scripting
 (XSS). The _addFiles() function of jquery.ui.plupload.js file allows HTML
 in the filename to be rendered upon upload. An attacker can exploit this
 vulnerability by crafting a file upload link containing a malicious
 filename and enticing the user to click on that link, which, when
 rendered, results in a DOM XSS attack.


 **DETECTION**
 The application is vulnerable by using this component.


 **RECOMMENDATION**
 There is no non vulnerable version of this package. We recommend
 investigating alternative components or a potential mitigating control.


 **ROOT CAUSE**
 plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0,
 )
 plupload-2.3.1.tgzpackage/src/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0,
 )
 plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.min.js[2.2.0,
 )

 Looking for hearing you soon. Thanks.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48277#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list