Plugin Updates – Cross-Site Request Forgery Vulnerability – WordPress Store Locator Plugin

WordPress Store Locator Fixes Major Issues

A couple months back there was a major security advisory for this plugin, see

Secunia WordPress Store Locator Security Advisory, in which a cross site scripting (XSS) issue was noted:

A vulnerability has been discovered in the Store Locator plugin for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. delete store locations if an administrator visits a malicious web site.

 

Solution:
Update to version 2.12.

Cross site scripting is a security issue and as such should be addressed right away if you are using this plugin.The good news is they have been making some updates since that security advisory came out late in November, 2013.The current Version of this plugin is now on 2.16, see the change log below:

WordPress Store Locator

Plugin Version: 2.16

WordPress Compatability: 3.8

Last Updated: 1/3/2014

Authors: Viadat

Average 5-Star Rating: 3.5

 

2.16

  • More WP 3.8 integration updates
  • Location Management / Admin CSS improvements
  • MapDesigner update

2.15.x

  • Several Store Locator admin updates due to significant WP admin interface changes introduced in WordPress v3.8. Elements fixed include:
  • Pull-Out Dashboard & Modules
  • MapDesigner page
  • All Sectional headers
  • Addons Platform Settings page
  • Admin CSS fixes
  • Still maintains good appearance for pre-WP v3.8 installs also

2.14

  • Update for better directory/file management. Should improve overall/addons’ functionality, display of web content such as search buttons on sites w/more strict or custom hosting setups (such as GoDaddy)
  • Same-origin fix for websites that allow display of both ‘www.domain.com’ and ‘domain.com’ versions of their sites, to make sure locations load properly on both versions

2.13.1

  • Fix for properly registering option choosing whether to display search results when loading locations by default
  • Minor fix for city dropdown option

2.13

  • Pull-out Dashboard fixes: operates more gracefully for those with certain functionality absent (file_get_contents, cURL, etc)
  • Fixed issue of blank admin area for small segment of users
  • Added SL_VERSION to defined constants
  • Interface/marker Infowindow CSS update

2.12.x

  • Fixed issue causing ‘geo_success’ warning in Firefox. Better auto-location for Firefox browsers now.
  • Addon/Theme Updates:
  • [addon] Categorizer – updates: category search form; readme file