Helens gogo jili login password free.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved Benixgo
(@benixgo)

1 month, 1 week ago

Hi, I just installer the GamiPress plugin and a couple of hours later I get all these vulnerabilities warning from Sucuri :

vulnerable WP Fluent Forms plugin found at ./wp-content/plugins/gamipress/integrations/fluentform/fluentform.php – Version: 1.0.1 Please update this plugin immediately: https://wpscan.com/vulnerability/16070387-e2b2-4b97-8cd8-cc2db80a3995

vulnerable LearnPress plugin found at ./wp-content/plugins/gamipress/integrations/learnpress/learnpress.php – Version: 1.1.1 Please update this plugin immediately: https://www.bleepingcomputer.com/news/security/75k-wordpress-sites-impacted-by-critical-online-course-plugin-flaws/

vulnerable Download Manager plugin found at ./wp-content/plugins/gamipress/integrations/download-manager/download-manager.php – Version: 1.0.0 Please update this plugin immediately: https://wpscan.com/vulnerability/394007c5-7923-46fe-bb4c-2377d66ff900

vulnerable Forminator – Contact Form, Payment Form & Custom Form Builder plugin found at ./wp-content/plugins/gamipress/integrations/forminator/forminator.php – Version: 1.0.9 Please update this plugin immediately: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/forminator/forminator-1290-unauthenticated-stored-cross-site-scripting-via-file-upload

vulnerable Ninja Forms plugin found at ./wp-content/plugins/gamipress/integrations/ninja-forms/ninja-forms.php – Version: 1.1.1 Please update this plugin immediately: https://wpscan.com/vulnerability/8843d66b-e895-4336-afda-00b99442cdc1

vulnerable Easy Digital Downloads plugin found at ./wp-content/plugins/gamipress/integrations/easy-digital-downloads/easy-digital-downloads.php – Version: 1.2.9 Please update this plugin immediately: https://wpscan.com/vulnerability/1fa35321-fc1f-4770-b03c-06ad871dd18f

vulnerable Events Made Easy plugin found at ./wp-content/plugins/gamipress/integrations/events-manager/events-manager.php – Version: 1.0.3 Please update this plugin immediately: https://blog.sucuri.net/2022/06/vulnerability-patch-roundup-june-2022.html

vulnerable Jetpack plugin found at ./wp-content/plugins/gamipress/integrations/jetpack/jetpack.php – Version: 1.0.0 Please update this plugin immediately: https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/

vulnerable GiveWP plugin found at ./wp-content/plugins/gamipress/integrations/give/give.php – Version: 1.0.0 Please update this plugin immediately: https://wpscan.com/vulnerability/fdf7a98b-8205-4a29-b830-c36e1e46d990/

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator James Huff
(@macmanx)

1 month, 1 week ago

@benixgo It looks like Sucuri is reading this plugin’s integration files as if they were the actual plugins they’re named after.

Taking this one for example:

vulnerable Jetpack plugin found at ./wp-content/plugins/gamipress/integrations/jetpack/jetpack.php – Version: 1.0.0 Please update this plugin immediately: https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/

If you were indeed using Jetpack 1.0.0 that would indeed be very bad. As the link mentions, there is a security vulnerability with Jetpack 12.1.1 and lower.

But, you don’t have to worry. The current version of Jetpack is 13.9, has no known vulnerabilities, and the file in question is just version 1.0.0 of GamiPress’s Jetpack integration, which is, crucially, not the Jetpack plugin.

@gamipress You might want to consider renaming those files, so something like this doesn’t happen.

Plugin Author Ruben Garcia
(@rubengc)

1 month, 1 week ago

Hi @macmanx

I’m Ruben, CEO at GamiPress & AutomatorWP

We do not know why Sucuri stills working with those files since they are not in the main directory where the plugin file should be placed

We reported it several times to Sucuri to do not check files in subfolders as the main one, other security plugins already fixed it but seems that Sucuri is still working on this fix yet…

Moderator James Huff
(@macmanx)

1 month, 1 week ago

These security scanners are blunt instruments, they can only be as smart as their developers make them.

I can guess why Sucuri thought that /wp-content/plugins/gamipress/integrations/jetpack/jetpack.php was /wp-content/plugins/jetpack/jetpack.php

It’s annoying, it should be fixed on Sucuri’s end, but it is plausible.

I think the only effective way forward, or at least the only way forward in your control, is to rename the files themselves, like /integrations/jetpack/jetpack.php to /integrations/jetpack/gamipress-jetpack.php

I know that’s a fair bit of work, but the confusion amongst your existing and future users will continue until either you do that or Sucuri finally fixes their scanner, and you can only control your own stuff.

Thread Starter Benixgo
(@benixgo)

1 month, 1 week ago

Ok that’s what I thought, thanks for the quick answers guys, I will also open a ticket with Sucuri, hope that helps!

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Outdated Software and vulnerabilities

Tags