Hello, I noticed a Cross-site Scripting (XSS) – DOM weakness, as there is a vulnerable DOMPurify library used.
The identified library DOMPurify, version 2.0.12 is vulnerable and gets called in /wp-content/plugins/podlove-web-player/web-player/embed.js?ver=5.7.3
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
Can we update please to the latest version of DOMPurify v3.0.8 in the next release?
Thanks and kind regards!