Arbitrary file upload vulnerability in v11.0.2

Hi, @robin-labadie!

Thank you for noticing, we are working on resolving the issue as soon as possible.

Feel free to write us, if you need any assistance,

Trustindex

Hi,
Do you know when a patch will be released? I am using your plugin on quite a few clients websites (including the Pro version on some) so have deleted the plugin on these installs for now to stay on the safe side, but the pages look unsightly with just the shortcode, and clients will soon start noticing that their reviews are not showing anymore, so I basically would need to know what to do next (for example, looking for a temporary replacement?). Thanks.

Looking at the plugin code, the file upload functionality is in the ‘Feature request’ section, which doesn’t sound important for normal use. I’ve temporarily disabled this by exiting straight away if it’s a POST:

wp-content/plugins/wp-reviews-plugin-for-google/tabs/feature_request.php

<?php
defined('ABSPATH') or die('No script kiddies please!');
if (isset($_POST['command']) && $_POST['command'] === 'send-feature-request') {
die('disabled'); // add this line

• This reply was modified 1 year ago by joelby37.
• This reply was modified 1 year ago by joelby37.

@joelby37 Thank you for sharing the code ??
To the plugin author – can we get an update about an official patched version please? I also emailed you yesterday morning through your website as I am using the Pro version. Thanks.

We also have several customers affected – eager for an update.

• This reply was modified 1 year ago by caordawebsol.

Hi,

This issue is resolved in the newest version of the plugin, please update!

Thank you for your patience!

Feel free to write us, if you need any assistance,

Trustindex

All good now, thanks for the update.

Let us know if you need any help!