Vulnerabilities in the plugin

Please go to https://www.wpsymposiumpro.com/ and we will glady answer your question there. And that problem you asked about above have been fixed for quite a while now.

Hi Robert

Sorry, bit confused – can’t see any contact details on that page?

Are you the plugin author?

Thanks

Lily

I run the support department for PRO. There is a Private message area under Profile in the menu and you do need to join there. Joining is free.
But as I said theta problem in WPS was already fixed a while back.
Pro Is a different plugin which is make the WP way.

Hi Robert

Really appreciate the quick responses.

However, I’m concerned about sending information about vulnerabilities through your system because of the vulnerabilities.

I would really appreciate if the registered plugin author could send me a message with an email address that I can report the vulnerabilities safely and responsibly through. It is possible that these issues have been resolved in the pro version, but there are quite a few in the free version, and just in case they are still in the pro version it would be best to report them securely.

Appreciate your help.

Thanks

Lily

are you saying you have found a vulnerability in WPSymposium?

and if so what version number are you talking about please

Hi,

I don’t actually use this plugin, but I installed the “Redirect” plugin on my website. It logs all 404’s.

One of the logs was from someone trying to access “?/wp-content?/plugins?/wp-symposium?/server?/php?/index.php”

and another: “/wp-content?/plugins?/wp-symposium?/server?/php?/bRQETihijSyNyD.php”

I thought I’d google it to see what the exploit is, and now I’m here.

Further googling found this: https://www.exploit-db.com/exploits/35543/

That’s it, maybe it’s fixed already but I can’t see a changelog, I just thought I’d let you know it’s being actively expoited so you can get a fix out (if you havent already).

Regards,
Tom.

That was fixed some time ago thanks

someone constantly scans and my website too

/wp-content/plugins/wp-symposium/readme.txt

if I understand correctly, they try to find sites where have already installed this plugin …

it is very confusing (((

Sorry for the delay in responding, I’ve been away.

Yes, we have definitely found a vulnerability. I’m not comfortable disclosing what that is here or on your website forums. The vulnerability is in version 15.1 from the plugin hosted on the codex.

Please can I have an email address to disclose the information about this vulnerability to. If I email [email protected] will you receive it?

Please send any and all info to [email protected]
Thank you
Robert

Hi, I’m not sure if this is the same issue, but the vulnerability with upload types was fixed with a release. To confirm the link above relates to a previous version. Therefore, as with all plugins, please ensure you are running the latest version. Thanks ??

Of course, I should add, that any vulnerability issues can be sent in confidence to [email protected] if preferred.