Security vulnerability in version 1.8.7

  • Resolved syzygist

    (@syzygist)


    1 year, 11 months ago

    According to a Wordfence security alert released an hour and a half ago (https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-mobile-friendly-image-gallery-182-open-redirect), the 1.8.7 update did not fully resolve the security vulnerability. You were informed of this in another thread (and I’m sure Wordfence also informed you before posting their alert), but you marked it resolved anyway, which it is not. When do you plan to patch this?

    To quote their alert:

    “The Photo Gallery by 10Web plugin for WordPress is vulnerable to open redirect in versions up to 1.8.7. This is due to insufficient validation of the curr_url ($current_url) request parameter when a user accesses a link with an invalid share link. This would make it possible for an attacker to redirect a victim to a potentially malicious site, granted they could trick the victim into performing an action such as clicking on a link. The patches in 1.8.1, 1.8.3, 1.8.7 are incomplete and can be bypassed.”

Viewing 3 replies - 1 through 3 (of 3 total)

  • Agreed – the 1.8.7 release has not fixed the problem and Wordfence flagging the vulnerability again. I have several sites affected.

    • This reply was modified 1 year, 11 months ago by jupiter1955.

    The 1.8.7 release has not fixed the problem and Wordfence flagging the vulnerability again. I too have several sites affected.

    Please advise

    Plugin Support Nikita Anisimov

    (@nikitaanisimov)

    Dear @syzygist , @jupiter1955 and @evildoer , hello

    Thank you for your vigilance in reporting the issue,

    It has been addressed and fixed in the latest 1.8.8 update that is live already,

    We are once again expressing our gratitude and wishing you all a marvelous day ahead!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security vulnerability in version 1.8.7’ is closed to new replies.