Security Vulnerability

  • We have noticed that The plugin has a vulnerability that allows authenticated users with subscriber (and higher) permissions to perform unspecified unauthorized actions (Affected Version <= 1.8.25), so we have to deactivate the plugin immediately. Could you please help fix this?

Viewing 12 replies - 1 through 12 (of 12 total)

  • yeah same here please fix that

    Same here what is the holdup ? Should I delete this plugin ?

    Rand

    (@rand)

    We need to hear an answer stat. I will not continue using a plugin that my security apps are flagging. What are you doing about this? If you don’t answer, we will forever stop using your plugin. You MUST respond.

    syzygist

    (@syzygist)

    When are you going to fix this? It has been 6 days since the last update (which did not fix it), and the vulnerability has been public for more than 3 weeks (which means you’ve known about it for a lot longer). Are you even working on a fix? When you have 200,000 users you can’t just go silent like this about a security vulnerability that is affecting thousands of sites. And this is the second time this has happened. Last time, we temporarily removed our gallery, but if you’re going to make a habit of this, I will recommend to clients that we switch to a more reliable plugin with more responsive authors.

    kraken2k

    (@kraken2k)

    It’s 5 days and no response on already disclosed security vulnerability? Not a single word from the development team?

    juliecornwall

    (@juliecornwall)

    hi there. same issue, have 3 sites and over 50 galleries, all disabled for the moment, do you have a date for resolution please.

    Rand

    (@rand)

    I understand that security vulnerabilities happen. What I do NOT understand is completely ignoring your support forums. Not even a single acknowledgement?This is how a product dies and the owners lose their reputation.

    syzygist

    (@syzygist)

    A new update was just released, which claims to fix the issue. I don’t vouch for it one way or the other – I have applied it, but will wait to see whether Wordfence updates their vulnerability report to agree before I accept it as fixed. However, just thought I’d let people who are following the thread know, since the plugin developers still haven’t bothered to reply here.

    detoris

    (@detoris)

    An update has now been released

    Changelog 1.8.26

    • Fixed: Broken access control vulnerability.
    Plugin Support Yasin Abedi

    (@yasinabedi)

    Hello,

    I would like to inform you that our team has just released the fix for this issue.
    Please update the plugin to the latest version.

    Thank you for your patience and understanding.

    Best Regards,
    Yasin

    evildoer

    (@evildoer)

    Thank you.

    juliecornwall

    (@juliecornwall)

    thanks for letting us know.

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.