In wordpress version 6.4 the below versions of the libraries are present

? jQuery v1.13.2

? ua-parser-js v0.7.7

? plupload v2.1.9

The above libraries might be outdated and we have checked in latest version 6.6

The versions are

? jQuery v1.13.3

? ua-parser-js v0.7.7

? plupload v2.1.9

Do we know when can this be upgraded?

Thanks,

Kajori

If anyone from the WordPress dev team is reading this, just wanted to ask if there’s an official statement for WordPress not updating plupload and tinymce to the latest version. Reason is that we use WordPress on our project and the recent VAPT conducted highlighted that these two items are outdated and should be updated to the latest version to mitigate the vulnerabilities associated to the versions bundled in the latest WordPress version (6.4.3 as of this writing).

Would like to get an official statement so I can tell the VAPT testers that these have been patched by the WordPress core dev team and can verify that the versions bundled in WordPress core is not affected by the CVEs currently circulated.

Thanks.

Will

Some days ago I’ve been searching for information to update the plupload.js (or the whole plupload folder). I know that the vulnerability is already patched but in most of the cases having our documents/code updated is a good practice… Do you have any help to update the plupload? Mine is outdated… I dowloaded a version from it’s website https://plupload.com/ but it has different documents (https://ibb.co/jbYv5QT) and it’s not clear how to update it… I would be grateful if you can help me, thanks.

• Upload Only (Plupload)
• Other (customise allowed extension)
• pdf
• Custom Directory within the default direction
• Newsletters

When I am creating/editing the pod, a bar appears and moves partially across (may not be complete as the bar is much shorter than the border around it, and doesn’t change color or display an error message or success message).

I tried creating “/public_html/wp-content/uploads/Newsletters” but either way nothing is uploaded.

If I reopen the pod for editing, nothing indicates that a file is already attached.

There is nothing in the PHP error log.

If I dump the pod all other fields are contained except the file field. I don’t know if that is normal. The documentation (https://docs.pods.io/fields/file/) doesn’t say how to query the information but I have also tried wp_get_attachment_url() (with and without the post id).

In the settings for the field under the File / Image / Video Options tab…

If you have File Uploader > Upload only (Plupload) selected…

There is an option to set Custom Upload Directory, which has the help tooltip: “Magic tags are allowed for this field. The path is relative to the /wp-content/uploads/ folder on your site.“

How are you supposed to use Magic Tags in this field?

No matter what I try, I can’t get the Magic Tags to render. When I try something like {@id} it is replaced with nothing.

For example, if I have it set as “custom_folder/post_{@id}”, the file will be uploaded to the folder “custom_folder/post_”.

What Magic Tags are allowed here?

I would like to do something like “/u_{@username}/p_{@id}” (where @id I’m assuming is the post/page id…?)

Any suggestions?

plupload
URL: https://*********************/wp-includes/js/plupload/plupload.js
Detection method: The library’s name and version were determined based on the file’s contents.
CVE-ID: CVE-2012-2401, CVE-2013-0237
Description: Same Origin Policy bypass / Cross-site scripting (XSS) vulnerability in Plupload.as
References:
https://www.cvedetails.com/cve/CVE-2012-2401/
https://www.cvedetails.com/cve/CVE-2013-0237/

Vulnerability Description
You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.

Discovered by JavaScript Library Audit (Internal)`

How to fix this vulnerability
Upgrade to the latest version.

Classification
CWE
CWE-937
CVSS
Base Score: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: None

The current version (v2.1.9) doesn’t seem to be the latest.

Plupload – multi-runtime File Uploader
* v2.1.9

It would be nice to have this library updated on the next wp upgrade.

On the “Add Gallery” page, translations for buttons like “Star Upload” are never loaded… by searching into the module files, I found into the “_find_plupload_i18n()” declaration that path “file_exists($dir . $tmp[0] . ‘.js’)” never match any translation file (fr.js in my case). [Line 410 / 413 in products/photocrati_nextgen/modules/nextgen_addgallery_page/package.module.nextgen_addgallery_page.php]

I managed to fix the error temporarily by completing the missing “/” and replacing the path with “file_exists($dir . ‘/’ . $tmp[0] . ‘.js’)” and translation file has been well loaded.

Is there another solution ? Could you correct this error permanently ?

?adb_page=edit-package/2236/:1791

Uncaught ReferenceError: plupload is not defined
at HTMLDocument.<anonymous> (?adb_page=edit-package/2236/:1791)
at i (jquery.js?ver=1.12.4-wp:2)
at Object.fireWith [as resolveWith] (jquery.js?ver=1.12.4-wp:2)
at Function.ready (jquery.js?ver=1.12.4-wp:2)
at HTMLDocument.J (jquery.js?ver=1.12.4-wp:2)
(anonymous) @ ?adb_page=edit-package/2236/:1791
i @ jquery.js?ver=1.12.4-wp:2
fireWith @ jquery.js?ver=1.12.4-wp:2
ready @ jquery.js?ver=1.12.4-wp:2
J @ jquery.js?ver=1.12.4-wp:2

We use plupload for the plugin to handle the upload process. When we upgraded core, the upload button just stopped doing anything. No errors.

I am trying to figure out what happened to plupload?

Thank you for your help and your answers