Plugin still removed from www.remarpro.com repository

  • Resolved doffine

    (@doffine)


    3 years, 9 months ago

    Hello @trsupsys,

    we noticed that your plugin is still gone from WordPress repository – apparently because of a security problem.

    Since your last statement here to this issue is almost six days old we kindly wanted to ask you for when you plan to release an update for this issue.

    It is not a good feeling to know that one has several hundrets of WP installations with your plugin in the wild internet that has a security hole that seems to be severe enough to remove the plugin entirely from www.remarpro.com repository but doesn’t get fixed in a whole week.

    Additonally there is no transparent information about the degree of the security problem, “how bad is it really?”.

    It would be very time consuming and expensive for us to manually update to your developers version in every single of our hundrets of WP installations. Perhaps 10 minutes later the official update over the WP repository would be there and a whole working day for this manual patching was unnecessary.

    Please let us know what will happen here in the near future.

    Greetings and thanks for your work,
    -doffine

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Support Ole

    (@trsupsys)

    Hello, @doffine
    Thank you for contacting us!

    There was one vulnerability that WPScan discovered
    https://wpscan.com/vulnerability/0b83038e-92d2-4bdd-a597-a5d8eff50edb
    WPScan passed this information to the WordPress Team.

    The plugin was then immediately closed. This company didn’t consider it necessary to contact us so that we would fix the vulnerability with an update and that’s it.
    As you can see, the fix was made a few days ago.

    We don’t consider it too serious. Most of the plugins on the WP repositories have this visibility (hello to them).

    After fix – the WordPress team decided that we should totally update the plugin – libraries, update bootstrap to the newest versions – even if they are incompatible with each other. It turned out to be pointless to argue.
    This is not a complaint against them – we ourselves believe that quality should not suffer. But closing the plugin … is too much.
    We can’t release version with the usual vulnerability fix because we had to rewrite a good half of the plugin.

    Now we are rewriting absolutely all database queries that are in the plugin – this is a laborious task.
    We plan to submit the new version for review by Friday.
    Then we will have to wait for response from the WordPress Plugin Team.
    We think this will happen on Monday/Tuesday.

    Best wishes,
    Ole

    Thread Starter doffine

    (@doffine)

    – ok for reasonable thoughts I removed my posting –

    • This reply was modified 3 years, 9 months ago by doffine. Reason: security reasons
    Plugin Support Support Ole

    (@trsupsys)

    We don’t think it’s right to discuss vulnerabilities here.
    Moreover, our plugin has nothing to do with WooCommerce.
    We made a fix and now we just have to wait.

    Best wishes,
    Ole

    • This reply was modified 3 years, 9 months ago by Support Ole.
    Thread Starter doffine

    (@doffine)

    Hello @trsupsys,

    ok I removed my posting above. I’ll send you a message via your website, since for our own security we just have to know about the asked things.

    Greetings,
    -doffine

    Plugin Support Support Ole

    (@trsupsys)

    Don’t get us wrong.
    We will not share this information.
    Above, we wrote what the vulnerability was and what the fix was made. Provide information how it can be circumvented, what conditions are required for reproduction – we will not provide this information to anyone for the safety of our clients.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Plugin still removed from www.remarpro.com repository’ is closed to new replies.