• Resolved mkulawik

    (@mkulawik)


    Hello, I received the following alert from WPEngine about this plugin:

    “<Your site is> utilizing a vulnerable version of the Asset CleanUp: Page Speed Booster plugin.

    At this time, we are not seeing that the plugin author has released an update or patch for this vulnerability.

    WP Engine summary of the vulnerability: Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

    Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: 
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999
    https://wpscan.com/vulnerability/58ab5352-d783-431a-b0a5-382381cc13fd

    Are you aware of this? Are there plans to address this?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Gabe Livan

    (@gabelivan)

    @mkulawik no, I am not. Thanks for reporting this! I assume you already use the latest version and this is something they just discovered. Of course, once I am aware of the actual vulnerability, a new version will be pushed with the fix.

    Thread Starter mkulawik

    (@mkulawik)

    Thanks Gabe! I appreciate it. We just got the notice from WP Engine Security_ Plugin Vulnerability Notification system yesterday. We’re using Version 1.3.9.2 of the plugin.

    Plugin Author Gabe Livan

    (@gabelivan)

    @mkulawik Last time I’ve checked the following URL – https://wpscan.com/plugin/wp-asset-clean-up – there was an “X” there and a notice that the problem wasn’t solved. Now, it shows that it was been fixed. It looks like it was a glitch on their end and they mistakenly marked it as not solved. Asset CleanUp does not use “Freemius SDK”. It hasn’t for years. I’ll mark this topic as “resolved”.

    dbp

    (@optimus203)

    Thank you Gabe! I was seeing this same issue.

    Thread Starter mkulawik

    (@mkulawik)

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WPEngine Vulnerability Alert’ is closed to new replies.