ManageWP mark WPCerber as a Vulnerability Plugin

Is there any proof? The actual version is 9.3, not 9.0. See more: https://wpcerber.com/wp-cerber-security-9-3/

hello greg, you shouldn’t ask me for proof since I’m just one of your users. None of the 12 sites on which I use WPCerber has ever reported the availability of version 9.3 all have remained at 9.0 and WordPress does not report any updates available. My task was to report it to you, if you want to fix this well, unfortunately in the meantime I have to manually update the plugin to 9.3 on all sites (having to reconfigure all the settings) and it is a waste of time for me…

Bonjour,

Je rencontre également ce problème et la maj pour la version 9.3 n’est pas proposée :/

Bien cordialement

If you’re talking about WP Cerber, you do not have to reconfigure anything. Installing WP Cerber 9.3 from the file takes seconds: https://wpcerber.com/installation/

Thanks for sharing the info with us. We take security even more seriously than anyone can expect, but without a proof from ManageWP, it’s not an actionable thing. We have a contact form to contact us regarding any security issue. Anyone, including ManageWP, can report their findings here: https://wpcerber.com/contact/

Gregory, after what you wrote about the latest version which is 9.3, and not 9.0, it is evident that ManageWP has indicated WPcerber as a ‘vulnerability’ only because 9.0 is installed on my sites instead of 9.3 … it is not needed to be a genius to understand this … in any case I don’t work for ManageWP so I don’t ‘have’ to report anything to them and if I have reported this issue to you it is my kindness to which you are replying with arrogance which is not good to the image of your company. I am a loyal customer, treat me with due respect. The fact remains that all my numerous sites that use WPCerber have still not received any notice regarding the presence of a 9.3 update (not only via ManageWP), and if you read the other answers as well you will realize that the problem is not only mine. So, if I were you, I’d get to work figuring out why instead of giving pissed answers here. Having to manually install the plugin on all sites is still a waste of my time. This is why many webmasters rely on products like ManageWP, you should find a way to collaborate directly with them instead of being offended at all.

just to to understand, you gave me link to 9.3 but it seems that last version is 9.3.2…I hope my sites will notice this further last update…I just finished to update manually to 9.3 all my sites…hope to have not to repeat all this just some minutes after…

@costamaya after going through the forums for a bit with the same issue, I found that WP Cerber was removed from the WordPress repository in September – due to this security issue. Hence we didn’t receive any notifications about updates etc.

It would have been nice to be find a notification about this in our WP dashboard but I see that this might not have been an option.

I guess the update notifications should be available again now after updating to version 9.3.2

There is an option in ManageWP to simultaneously upload a plugin to all your sites (great feature btw):

Under Dashboard – Websites – select the ones affected (little checkbox in right corner) and use Tools (in top bar) – Plugins

From there you can add Plugins from either the repository or a zip file

Thanks for your update Patricia, I did not know that WPCerber was removed from the WordPress repository in September, perhaps Gregory will now be able to intervene without denying the evidence and explaining better how and when they intend to intervene to fix this huge problem or if they solved it in some way (the vulnerability and the lack of warnings related to updates) because if the problem continues to be denied it is evident that we will have to look for an alternative to WPCerber.
Regarding the operation you advise me to do on ManageWP, it seems to me that it is only possible if it is to install a new plugin but not to make an update (also and above all because this update is not reported and therefore not present in the list) the only way to load WPCerber 9.3.2 via ManageWP in one shot for all sites as you recommend is to install it as a new plugin … I will do so … thanks your is an effective help ??

It gets worse, actually.

I manually installed 9.2 as advised. Now, it’s version 9.2.3 and the only way to update to that version appears to be doing so manually. There’s no notifications that there’s a new version, you just have to keep checking their site for a new version. Then, when there is a new version, you have to manually go through and update the plugin.

Make sure that “Use WP Cerber’s plugin repository” is enabled on the “Main Settings” tab.

Gregory will now be able to intervene without denying the evidence

There is no any evidence so far.

I have that enabled and gave it a good 24 hours to see if it’d update itself. It did not.

Hopefully that’ll work in the current iteration. I notice it now says that automatic updates are enabled and it didn’t say that before.

I’m optimistic and indeed I like the plugin. I’ve insisted on using it even during these dramatic times.

I’m not the one asking about the security hole, but I believe it was fixed in 9.2, just as they said it was. The issue was:

https://nvd.nist.gov/vuln/detail/CVE-2022-2939

That’s proof, I suppose, of a bug that did exist. It was also at about the time the plugin was removed from WordPress’ repository. It was ‘just’ user enumeration, something not so terribly insecure. Your security should be more than just hiding usernames.

@gioni Unfortunately, as users or former users of WPCerber, the proof is not ours to discern.

I got notification from Wordfence (I run multiple layers of security) 2 days ago that a critical issue had WPCerber removed from download here. I was astounded that it appears to have been an issue from September.

After coming here prior to your post and seeing no response from the author, nor on your social media platforms or website addressing the issue I removed WPCerber from 9 websites.

Every experience I have had for a plugin having issues resulting in it being dropped and the author being genuine about resolve there have been notifications that every effort is being made to rectify the situation as soon as possible. Updates addressing security issues provided within hours or a couple of days.

I suggest you don’t be butthurt toward your potential or past customers. I had great respect and trust in your product, I would like to trust it again – but “closed as of September 22, 2022” – and no notification – that is not helping.

Gregory is not us who have to bring evidence, on the contrary it is you who should bring evidence to reassure us rather than attack us … do you think you are making a good impression in the eyes of the readers? you should have less arrogance and get more into the matter … needless to keep labeling this ticket as ‘solved’ because it is not …. there are 2 obvious issues:
– wordpress no longer reports WPcerber updates (and this alone makes me want to uninstall WPCerber), do you want to recognize it at least and how do you intend to fix it?
– WP cerber is still in the WordPress repository or not? what does it mean and what does it mean for the security of our sites?
Be a little more detailed in your skimpy responses at this moment seem like those of an offended child who replies by attacking instead of explaining and reassuring, how you should deal with customers.

Can we just know the facts? What is the security issue?

I downloaded and installed WP Cerber V 9.3.2 from the link provided by the author. I re-ran the Wordfence scan, but it’s still showing as security vulnerability. Is this SOLEY because the plugin was removed from the WP Repo? If so, when will be be re-added so we can stop get getting these false flags?

Thanks.