Vulnerability Issue

it was already fixed.

I think the question is…why are those of us with just Download Manager (not Pro) receiving a Vulnerability notice from our hosts or security plugins that Download Manager Pro has a vulnerability from our daily site scan. We don’t even have Pro installed. Just the Free version is installed. I am also running Download Manager 3.2.70, not the Pro version. Is there an update available for the free version of Download Manager to make it so our site scans don’t think we have Pro installed?

No sure, why your hosting messing it up. Our wp.org versioning start at 3.x, and pro with 6.x.

Both of them are on the same codebase, when an issue is fixed, it is fixed for both.

Please tell your hosting support it is already fixed with wp.org v3.x

It’s not just the hosting. The warning comes from https://patchstack.com/database/vulnerability/download-manager/wordpress-download-manager-pro-plugin-6-3-0-unauthenticated-sensitive-information-disclosure-vulnerability?_a_id=350 which is a vulnerability database.

The update you have released for the pro version will have to be released for the Free version.

Yes, that was about pro version, not wp.org version. wp.org version 3.2.70 already has the fix.

They also mentioned it:

“Update the WordPress Download Manager Pro plugin to the latest available version (at least 6.3.0).”

But those of us in the free version receive this warning. I for example receive it as a vulnerability in ManageWP and my customers see a vulnerability warning that I am unable to fix, because there is no update to fix it.

Can you as developers talk to patchstack to remove the warning from the free version (if they are able to differentiate them).

Thank you.

Actually that’s a misinterpretation of that notice from your hosting company.

May you please let your hosting company know about that false positive. We are also contacting them.

In my case the warning comes from iThemes Security scan, it’s annoying since it sends me an email about this twice a day.

@mairag please contact iThemes Security, we are also contacting them.

Hello, i contacted iThemes Security support and they told me this:

“Since the one you’re using is the free version (3.2.70), but it is still being flagged as vulnerable by the Site Scanner, I recommend reaching out to the plugin developers for the possibility of updating the reflected information on Patchstack.”

Thanks

Actually, patchstack clearly mentioned, it was an issue with PRO ( already fixed ). But site scanner plugin misinterpreting it.

However, I’ve also contacted PatchStack now.