http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto Recently encountered a scenario where a vulnerability was present in code not updated since March 2013, someone separately found it in aug 2014. Till may 2015 it was not patched, although a pull request for the issue was already present since 2013. The code is used by multitude of projects but no one keeps a track on upstream bug reports or pull requests. Even after 7 days of update very few up-to-date down streams are found. I have blogged about it whole experience here http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto Hope someone finds it useful. Just a FYI as per my check’s so far at least 3.5L wordpress websites have this vulnerable code and 10L or so instances were identified via nerdy data html code search. https://search.nerdydata.com/code/?and_code%5B0%5D=jquery.prettyphoto.js&limit=0%2C10&rank_min=1&rank_max=1000001 Note I am not the finder of vulnerability , my client was attacked via it and information was already present, i nudged peopled to get the fix in place and now trying to get the information across hoping to get fixes in place.