My client sent a penetration test report indicating the wp-views plugin is using a vulnerable version of a JS library(Select2 v4.0.3). May I know what should I do?
I got the news that we will try to update the select2 library packate to latest one with the next release that is scheduled to be by this month end or early Feb-2026. There is no perfect date but we will try our best in order to fix this issue as earliest.
Most penetration scanners flag Select2 ≤ 4.0.3 because of CVE-2017-1000189 / related advisories, which describe:
- XSS risk via unescaped HTML in results or placeholders
- ONLY exploitable if untrusted user input is rendered as HTML
- ONLY relevant when Select2 is used in public-facing forms
Key point:
Select2 itself is not remotely exploitable by default.
It becomes exploitable only when developers pass unsanitized user input into Select2 with escapeMarkup disabled or custom templates.
However - we will give priority to this issue as we can.
In wp-views, Select2 is used primarily for:
- Admin UI
- Editor dropdowns
- Backend configuration panels
Important facts:
- It is not exposed to anonymous users
- Inputs are controlled and sanitized
- No escapeMarkup: false usage with user input
