TGM Plugin Point In Soft Reject

File name: tgm-plugin/class-tgm-plugin-activation.php
Code: line 1592
Description: Unsanitized user input from an HTTP parameter flows into preg_match, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

This is a potential vulnerability that you need to fix. Please do the same for line 1080 and 3094 which is for XSS vulnerability.

Anyone There For Help ?

Which version of TGM are you using? 2.6.1?

Yes

That’s odd.
The “$slug” comes at line 1592, it’s been already sanitized at line 815.
The “$key” comes at line 1592, it’s been already sanitized at line 1482.

Line 1080/3094 seems fine, too

wp_kses_post( $activate->get_error_message() )

Where I Need To Change ?

I’m saying it looks fine but can you share the file? You may have used different one

Here Is File: https://themeht.comclass-tgm-plugin-activation.zip/

Are you using source string ( domain-name. co/file.zip ) to get the files on your configuration?

Add this to the comment and re-upload the item. And ask for screenshot if the issue persists.

Ok. Thank You So Much

Hi @ThemeHt,

As far as I have checked I think reviewer comment is correct. You have to sanitize for those lines: 1592, 1080 and 3094

Explanation:
1592 => $slug - is from line 1421, 1431 and line 1421 sanitized there. So we can say it is okay. Better sanitize again here.
1592 => $key - is from line 1589 => 1591 => 2023 not sanitized. So you have to sanitize.

1080 and 3094 => To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code. So you have to sanitize before render (echo/print) the output.

Hope you will get some help.

Thanks