Plugin Vulnerability Notification

  • Resolved one3rdnerd

    (@one3rdnerd)


    1 year, 8 months ago

    Hello,

    I just had the following notification from WPEngine

    Hello,

    At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified your site(s), ndanaylov, is (are) utilizing a vulnerable version of the WP Activity Log plugin.

    At this time, we are not seeing that the plugin author has released an update or patch for this vulnerability.

    WP Engine summary of the vulnerability: Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

    Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: 
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999
    https://wpscan.com/vulnerability/58ab5352-d783-431a-b0a5-382381cc13fd

    We encourage you to assess the risk of continuing to use this plugin until a patch is released.

    Please make sure to run a backup of your database before making any changes. You can learn how to do this in this article: https://wpengine.com/support/restore/ .

    Would you like to avoid doing these updates manually in the future? Add the Smart Plugin Manager to your plan today!

    Finally, feel free to reach out to our Support team at any time if you have any questions!

    Are the devs aware of this and working on a patch?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support robertabela

    (@robert681)

    Hello @one3rdnerd

    Thank you very much for using our plugin. The free edition of WP Activity Log does not even have the library (Freemius SDK) that this issue is about, so this is clearly a false positive.

    As a best practise, should you ever have any questions about vulnerabilities and security it is recommended to contact the vendor directly, and not post on public forums.

    Should you have any other questions, please do not hesitate to ask.

    Have a great day.

    Thread Starter one3rdnerd

    (@one3rdnerd)

    Thank you. I will let them know.

    Plugin Support robertabela

    (@robert681)

    Hello @one3rdnerd

    A quick update from our end: we have spoken to WP Engine and indeed, it is confirmed that this is a false positive. They have gotten this information from an incorrectly reported advisory, and it affected a number of plugins, not just ours.

    They should be sending another email update shortly. Please let me know if there is anything else we can help you with from our end.

    Have a great day and thank you for using our plugin. By the way, please do not forget to spare a minute to rate our plugin and service. These ratings are really helpful.

    Thread Starter one3rdnerd

    (@one3rdnerd)

    Perfect, thanks for getting in touch with them too.

    Have a great day yourself.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Plugin Vulnerability Notification’ is closed to new replies.