Getting security email from wordpress regarding version 1.8.5

  • Resolved sugilite

    (@sugilite)


    2 months, 2 weeks ago

    Hi, I received a warning regarding the plugin from WordPress itself.

    Custom Product Tabs for WooCommerce <= 1.8.5 – Authenticated (Shop Manager ) PHP Object Injection

    The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5

    Curiously my test site upgraded to the 1.8.5, my production site on 1.8.4 does not seem to know about the latest update.

    I also have the pro version, and when I click on the yikes and visit plugin links I get redirected from yikesplugins.com to abcdane.net/ which is quite concerning.

    This form here is the only way I can make contact, I tried all the other ways without success. Could you please give us an update on what is happening please?

    Thank you for your response and the great plugin.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Web Builder 143

    (@webbuilder143)

    Hi @sugilite

    Thank you for reaching out with your concern! The plugin you are referring to is from a different vendor, although the name is indeed similar to ours. Please contact the corresponding plugin author.

    +ES

    (@evelynmsdesigngraphicscom)

    Hello, @webbuilder143, I see that you state the vulnerability is for a different vendor (above). However, WordFence is indicating that this (your) plugin is the one with the vulnerability. WordFence is LINKING to this plugin. You may see (and test) their link to your plugin here:

    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wb-custom-product-tabs-for-woocommerce

    If they are wrong in their statement that your plugin is vulnerable, then please reach out to them to stop linking to this plugin as that is giving you/your plugin a bad reputation (as no fix is provided). Please ask WordFence to link their vulnerability notice to the correct plugin (instead of yours) and ask them to send out an email about that correction.

    Thank you.

    Plugin Author Web Builder 143

    (@webbuilder143)

    Hi @evelynmsdesigngraphicscom,

    Our plugin also had a vulnerability reported, which is the one linked in your message. However, the issue has already been patched.

    The plugin referred to by @sugilite is not ours. The version number mentioned is different, and it also refers to a “pro” version. Our plugin does not have a pro version.

    +ES

    (@evelynmsdesigngraphicscom)

    Hi+

    Thank you for the quick response and clarifications. My apologies for not *seeing* those specifics. Have a great day!

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.