### Critical Vulnerability Information #### 1. Error Handling and Validation - **Code Changes in `includes/class-frontend.php`** - The old code uses `esc_html` to escape the URL, which is insufficient for sanitizing URLs and could lead to potential XSS vulnerabilities. - The new code switches to `esc_url_raw`, which is a more secure method for sanitizing URLs. #### 2. Version Updates and Vulnerability Fixes - **Version 2.5.4** - **Fix: XSS vulnerability related to lightbox link handling** - Refactored lightbox link handling to use `DOMDocument` to parse and sanitize HTML content. - **Version 2.5.3** - **Fix: SSRF vulnerability related to the `get_image_size_by_url` function** - Additional validation and sanitization added to prevent server-side request forgery (SSRF) attacks by ensuring URLs are properly validated. - **Version 2.5.2** - **Fix: XSS vulnerability** - Added `wp_kses_post` to sanitize user input and prevent XSS attacks. #### 3. Code Review Tool Warnings - **Code Review** - The use of `esc_url_raw` instead of `esc_html` is highlighted as a security improvement. - The `sanitize_remote_image_url` method has been refactored to include additional validation checks. ### Summary This diff highlights several critical security enhancements, including improvements in URL sanitization to prevent XSS and SSRF vulnerabilities. Proper validation and sanitization techniques have been implemented throughout the codebase to mitigate these risks. Developers should carefully review these changes and consider similar practices in their own code to enhance security.