Is this security notice a false positive?

[spidrwebuk]

A client just reported this:

https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-13-7-3-authenticated-stored-cross-site-scripting-xss-vulnerability

thing is, the url says 13-7-3 but the plugin says 15.1.1

any ideas?

[skorasaurus]

It's not a false positive but I wouldn't worry very much. For this situation to be exploited, a user with permissions to edit or publish posts on your website would need to add an image block and use 'insert from URL' and that link would (hosted not on your domain but elsewhere) be to a nefarious SVG file.

I encourage your clients (or anyone for that matter) to never use the insert from URL option (even if this particular vulnerability did not exist) because:

• many domains are configured so that their content (hosted on their website) will not display on your or any other website if their content is directly 'hotlinked' as described in the URL that I mentioned.
• You are displaying content that is hosted elsewhere and that content can change at any time: someone else buys the domain, the other domain deletes the image or replaces the image with a different image (which can be nefarious) at the same URL , etc.

Always direct your clients to upload the images directly onto their website (and also trust where those images are coming from).

[spidrwebuk]

Awesome! thank you, well explained! :D