Vulnerability in wp-views. Using vulnerable version of Select2 v4.0.3

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
-	10:00 – 13:00	10:00 – 13:00	10:00 – 13:00	10:00 – 13:00	10:00 – 13:00	-
-	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	-

Supporter timezone: Asia/Kolkata (GMT+05:30)

This topic contains 1 reply, has 1 voice.

Last updated by Minesh 1 month ago.

Assisted by: Minesh.

Author

Posts

February 6, 2026 at 7:03 am #2846780

gillianS-2

Hi, please let me know if issue fixed. As mentioned in the earlier ticket issue will be fixed in early Feb 2026.

https://toolset.com/forums/topic/vulnerability-in-wp-views-using-vulnerable-version-of-select2-v4-0-3/#post-2844080

February 6, 2026 at 1:21 pm #2846811

Minesh

Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

Hello. Thank you for contacting the Toolset support.

As I already inform you with the previous ticket with the following reply:
- https://toolset.com/forums/topic/vulnerability-in-wp-views-using-vulnerable-version-of-select2-v4-0-3/#post-2844080

Important facts:
- It is not exposed to anonymous users
- Inputs are controlled and sanitized - so you will not have to worry
- No escapeMarkup: false usage with user input

We already worked on this issue and updated the select2 version and the same updated hotfix version we suppose to release in one or two weeks. Probably next week if everything goes and works as expected.