Security Warning: WordFence does not know 14 > 9?

Hi @alduinwf, thanks for your feedback.

The Tablepress plugin does have an active risk of a CSV Injection. All versions are vulnerable including 1.14. Our team is in contact with the developer and has explained the inherent risks of the vulnerability. The vulnerability is not critical as it has a very low chance of being exploited but it is still a valid security issue.

When an old vulnerability has been patched, we only warn when the customer is using that version of the plugin to advise that they should update, but this continues to be present. If a plugin does still have a CVE ID issued, we’re not the entity that decided it was a valid vulnerability but it’s Wordfence’s job to alert our customers to it.

Thanks,

Peter.

Hello Peter,

thank you for your reply. So you are saying DESPITE the CVE being 3 years old and talking about a much older version of this plugin, THIS CVE is still valid and applicable for the new version?

Or is it just that the CVE is wrong?

My suspicion was that WordFence actually mistook 14 as being more like 1.4 which would be in fact less than 9 (you know 1.9 and older is affected, WF thinking we’re on version 1.1.4 while we are really on 1.14).

Because, imho, otherwise the CVE associated with the alert would make no sense at all.

Hi @alduinwf, I have a little more information for you about this.

The CVE ID isn’t wrong, but it is a little complicated. This issue was reported as patched in version 1.10 hence the age of the record, but we tested the vulnerability ourselves and determined it was never patched so are still reporting it.

Had this been a CVE we assigned as a CNA, we could’ve updated the record to be more recent, however that wasn’t the case here. Tablepress have informed us that they will be releasing a patch soon, so this should resolve when that occurs.

Thanks again,

Peter.