Access control security bug

  • Resolved isaacrthorne

    (@isaacrthorne)


    1 year ago

    I received a notice from my security provider that this plugin has a broken access control vulnerability in versions earlier than and equal to the current version: CVE-2023-40200.

    I have removed the plugin for now, but I was wondering if there is a forthcoming fix. I like this plugin and I don’t want to have to migrate to something else.

    Thanks for any assistance.

Viewing 5 replies - 1 through 5 (of 5 total)
  • invectorlabs

    (@invectorlabs)

    Same here. It would be a shame to have to look for something else. I really like the simplicity, flexibility and how well it integrates.

    Thanks
    /P

    Thread Starter isaacrthorne

    (@isaacrthorne)

    As there’s been no response yet, I decided to go ahead and switch to a different plugin so I can keep my news area up-to-date and functional. It was not easy to do. I had to install a secondary plugin that would move the WP News posts to the new plugin’s post type and recreate the taxonomies. Then I had to open each news story individually and update it in order to get it to show up on the aggregation page via the new plugin’s shortcode. I wish I hadn’t had to do this.

    Plugin Contributor Ketan Patel

    (@patelketan)

    Hello,

    Sorry for the late reply…

    Sorry for the inconvenience, can you please tell me which security issue for you are facing so we can check properly…

    Thread Starter isaacrthorne

    (@isaacrthorne)

    Hi, Ketan.

    Solid Security Pro by SolidWP flags the plug-in as having a broken access control. That’s basically all the information provided during their site scan other than it affects all versions and is unpatched. The flag started occurring last week.

    Yesterday, they included the vulnerability information in their regular security bulletin and recommended that the plug-in be deactivated:

    https://solidwp.com/blog/wordpress-vulnerability-report-november-15-2023/#h-wp-news-and-scrolling-widgets

    Hope this helps.

    Plugin Contributor Ketan Patel

    (@patelketan)

    Hello,

    We solved the security issue 2 months ago but Wordfence has not updated the database. we have talked to Wordfence by email and Wordfence updated the database so please check the Vulnerability Severity link all plugins perfectly working without any security issue…

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Access control security bug’ is closed to new replies.