[wp-trac] [WordPress Trac] #48277: Update plupload library to the latest version
WordPress Trac
noreply at wordpress.org
Mon Mar 30 16:11:36 UTC 2020
#48277: Update plupload library to the latest version
--------------------------------+-------------------------
Reporter: Hareesh Pillai | Owner: desrosj
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 5.4
Component: External Libraries | Version:
Severity: critical | Resolution:
Keywords: close | Focuses: javascript
--------------------------------+-------------------------
Changes (by azaozz):
* keywords: has-patch early => close
Comment:
Replying to [comment:10 tlterry]:
> I having the issue as stated as below, any idea to fix this at your end?
>
> **plupload 2.3.1 -- Found licenses in the 'Banned' license threat group
('AGPL-3.0')**
WordPress includes Plupload 2.1.9 as that is the latest GPL compatible
release. See
https://core.trac.wordpress.org/ticket/48277?replyto=10#comment:7 and
https://core.trac.wordpress.org/ticket/48277?replyto=10#comment:8.
> VULNERABILITIES
> The plupload package is vulnerable to DOM Based Cross-Site Scripting
(XSS). The _addFiles() function of jquery.ui.plupload.js file allows
There is no `jquery.ui.plupload.js` file in WordPress. It is part of the
optional "jQuery UI Widget" package for Plupload that was never used in
WP.
> **ROOT CAUSE**
>
plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0,
)
As mentioned above WordPress uses Plupload version 2.1.9 and does not
include the above file. Seems this report was made in error.
In addition, it is imperative to make any security related reports on
https://hackerone.com/wordpress. Posting them on trac is not acceptable
for security reasons.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48277#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list