[CVE-2023-1430] Mitigation snippet for unpatched vulnerability in FluentCRM

  • Resolved karlemilnikka

    (@karlemilnikka)


    1 year, 9 months ago

    Today, I’m publishing information about a vulnerability I found in the popular WordPress plugin FluentCRM by WPManageNinja. I responsibly disclosed the vulnerability according to Google Zero’s vulnerability disclosure policy. WPManageNinja has neither provided a patch within the 90-day window nor requested a time extension. I have therefor created a mitigation snippet you can add to your websites to prevent exploitation.

    Full report (except for details about exploiting the vulnerability which I will withhold until WPManageNinja has published a patched version): https://github.com/karlemilnikka/CVE-2023-1430.

    tl;dr Attackers can view and edit contact details in FluentCRM.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Shahjahan Jewel

    (@techjewel)

    Hello @karlemilnikka

    Thank you for reporting. We have released an update: 2.8.02 which will use the secure hash instead of md5 hash.

    Thank you

    Thread Starter karlemilnikka

    (@karlemilnikka)

    Thanks for patching the vulnerability, @techjewel. You, yet again, forgot to mention the vulnerability patch in your changelog. Please remember to always include information about security updates in your changelog so that your customers know how important the updates are (and update the changelog to mention CVE-2023-1430 so that it’s detected by vulnerability management systems).

    Thread Starter karlemilnikka

    (@karlemilnikka)

    @techjewel Thanks for adding the mention of CVE-2023-1430 to the changlog. You did the right thing.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[CVE-2023-1430] Mitigation snippet for unpatched vulnerability in FluentCRM’ is closed to new replies.