Vulnerabilities
Keeping our products safe is a top priority. While we work hard to ensure security, we know it’s impossible to foresee every scenario. That’s why we encourage our users and the security community to report any security concerns directly to us. We are committed to addressing all vulnerabilities in WP Cloud Plugins promptly and effectively.
Disclosure Policy
Please do not discuss any vulnerabilities (even resolved ones) without express consent.
Submit your report
When you've found a security issue, please submit the report to us via a support ticket. In your ticket, make sure to include:
The impact of the issue.
A detailed guide on how to reproduce the issue.
(optional) A screenrecording demonstrating the issue.
After your submission
We will make a best effort to meet the following response targets for security reports:
Time to first response (from report submit) – 3 business days
Time to triage (from report submit) – 7 business days
We’ll keep you informed about our progress throughout the process.
Known vulnerabilities
• Patched in version 1.18.3 - 6 December '21
XSS vulnerability in the search functionality of the plugin. Shout out to Trainer Red for discovering and responsibly disclosing this issue!
7050 • Patched in version 3.3.2 - 1 August '25
Cross-Site Scripting in File Metadata
Fixed an XSS vulnerability in the file description field that allowed attackers to inject arbitrary JavaScript into any page rendering that metadata. Since descriptions weren’t properly sanitized, any user with file-upload privileges could publish a malicious file and trigger script execution in viewers’ browsers when they view the description via the plugin modules. We’ve now implemented strict sanitization of all file metadata—only a safe subset of HTML tags and attributes is permitted, and all other content is stripped. Credit: Responsible disclosure by floerer (FloSecurity).
• Patched in version 1.20.3 - 6 December '21
XSS vulnerability in the search functionality of the plugin. Shout out to Trainer Red for discovering and responsibly disclosing this issue!
CROSS SITE SCRIPTING (XSS) • Patched in version 2.7.2 - 5 December '23
XSS vulnerability in the deprecated deeplink functionality of the plugin.
• Patched in version 1.13.3 - 6 December '21
XSS vulnerability in the search functionality of the plugin. Shout out to Trainer Red for discovering and responsibly disclosing this issue!
Last updated