# Vulnerabilities #### Keeping our products safe is a top priority. While we work hard to ensure security, we know it’s impossible to foresee every scenario. That’s why we encourage our users and the security community to report any security concerns directly to us. We are committed to addressing all vulnerabilities in WP Cloud Plugins promptly and effectively. ### **Disclosure Policy** Please do not discuss any vulnerabilities (even resolved ones) without express consent. ### **Submit your report** When you've found a security issue, please submit the report to us via [a support ticket](https://florisdeleeuwnl.zendesk.com/hc/en-us/requests/new). In your ticket, make sure to include: * The impact of the issue. * A detailed guide on how to reproduce the issue. * (optional) A screenrecording demonstrating the issue. ### **After your submission** We will make a best effort to meet the following response targets for security reports: * Time to first response (from report submit) – 3 business days * Time to triage (from report submit) – 7 business days We’ll keep you informed about our progress throughout the process. ### **Known vulnerabilities** {% tabs %} {% tab title="Share-one-Drive" %} [**`CVE-2021-42548`**](#user-content-fn-1)[^1] • Patched in version 1.15.3 - 6 December '21 > XSS vulnerability in the search functionality of the plugin. Shout out to Trainer Red for discovering and responsibly disclosing this issue! > {% endtab %} {% tab title="Use-your-Drive" %} [**`CVE-2021-42546`**](#user-content-fn-2)[^2] • Patched in version 1.18.3 - 6 December '21 > XSS vulnerability in the search functionality of the plugin. Shout out to Trainer Red for discovering and responsibly disclosing this issue! [**`CVE-2025-`**](#user-content-fn-3)[^3]**`7050`** • Patched in version 3.3.2 - 1 August '25 > **Cross-Site Scripting in File Metadata** > > Fixed an XSS vulnerability in the file description field that allowed attackers to inject arbitrary JavaScript into any page rendering that metadata. Since descriptions weren’t properly sanitized, any user with file-upload privileges could publish a malicious file and trigger script execution in viewers’ browsers when they view the description via the plugin modules. \ > We’ve now implemented strict sanitization of all file metadata—only a safe subset of HTML tags and attributes is permitted, and all other content is stripped.\ > \ > **Credit:** Responsible disclosure by floerer (FloSecurity). > {% endtab %} {% tab title="Out-of-the-Box" %} [**`CVE-2021-42547`**](#user-content-fn-4)[^4] • Patched in version 1.20.3 - 6 December '21 > XSS vulnerability in the search functionality of the plugin. Shout out to Trainer Red for discovering and responsibly disclosing this issue! **`CROSS SITE SCRIPTING (XSS)`** • Patched in version 2.7.2 - 5 December '23 > XSS vulnerability in the deprecated deeplink functionality of the plugin. > {% endtab %} {% tab title="Lets-Box" %} [**`CVE-2021-42549`**](#user-content-fn-5)[^5] • Patched in version 1.13.3 - 6 December '21 > XSS vulnerability in the search functionality of the plugin. Shout out to Trainer Red for discovering and responsibly disclosing this issue! > {% endtab %} > {% endtabs %} [^1]: [^2]: [^3]: [^4]: [^5]: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wpcloudplugins.gitbook.io/docs/other/vulnerabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.