The plugin is pre-1.0 and ships from main. Security fixes are applied to the
latest released version only.
| Version | Supported |
|---|---|
| 0.9.x | ✅ |
| < 0.9 | ❌ |
Please do not open a public GitHub issue for security problems.
Report privately by email to mail@rfluethi.com with:
- a description of the issue and its impact,
- steps to reproduce (a minimal example helps),
- the plugin version and WordPress/PHP versions you tested on.
You can expect an acknowledgement within a few days. Once a fix is available it will be released and the report credited if you wish.
Vertical Sidebar Navigation has a deliberately small attack surface:
- It registers block styles and enqueues a static stylesheet and script. It adds no settings pages, forms, AJAX handlers, REST routes, or shortcodes.
- It writes nothing to the database and stores no options, so there is no uninstall data and no user input to sanitise on the server.
- All PHP output is escaped (
esc_html__()/esc_html()), direct file access is blocked (defined( 'ABSPATH' ) || exit;), and the admin notice is gated behindcurrent_user_can( 'manage_options' ). - The frontend script builds its only injected node (the hamburger icon) via DOM APIs, not from an HTML string, and renders no user-supplied data.
If you find something that contradicts the above, it is exactly the kind of report we want to receive.