Hello,
after unsucessfully having tried contacting the pling team in various ways (incl. this forum), I have now published information about yet unpatched vulnerabilities in all pling-based marketplace websites as well as the PlingStore native application in order to warn you users:
- appimagehub.com, store.kde.org, gnome-look.org, xfce-look.org, pling.com are affected by a stored, wormable Cross-Site Scripting vulnerability that allows taking over accounts
- The PlingStore Electron app is affected by a Remote Code Execution vulnerability that can be exploited by any website while PlingStore is running in the background
The full details can be found here: Linux marketplaces vulnerable to RCE and supply chain attacks | Positive Security
Cheers,
Fabian