[Résolu] Vulnerability in wp-views. Using vulnerable version of Select2 v4.0.3

[Auteur]

Publications

[gillianS-2]

Hi,

My client sent a penetration test report indicating the wp-views plugin is using a vulnerable version of a JS library(Select2 v4.0.3). May I know what should I do?

[Minesh]

Hello. Thank you for contacting the Toolset support.

I've escalated the issue in front of our Devs and I will get in touch with you as soon as I have any update on it.

[Minesh]

I got the news that we will try to update the select2 library packate to latest one with the next release that is scheduled to be by this month end or early Feb-2026. There is no perfect date but we will try our best in order to fix this issue as earliest.

[gillianS-2]

Hi. Is there a way to expedite? Since it's a vulnerability issue

[Minesh]

I got the reply from our Dev:

Most penetration scanners flag Select2 ≤ 4.0.3 because of CVE-2017-1000189 / related advisories, which describe:
- XSS risk via unescaped HTML in results or placeholders
- ONLY exploitable if untrusted user input is rendered as HTML
- ONLY relevant when Select2 is used in public-facing forms

Key point:
Select2 itself is not remotely exploitable by default.
It becomes exploitable only when developers pass unsanitized user input into Select2 with escapeMarkup disabled or custom templates.

However - we will give priority to this issue as we can.

In wp-views, Select2 is used primarily for:
- Admin UI
- Editor dropdowns
- Backend configuration panels

Important facts:
- It is not exposed to anonymous users
- Inputs are controlled and sanitized
- No escapeMarkup: false usage with user input