Chad Cloman

I think normally they try to send you some sort of notification that they’ve found a vulnerability, but given what I saw on the Patchstack site, that notification would likely appear to be spam if you didn’t know what it was.

They want you to sign up for their service as a plugin developer/owner and claim ownership of the plugin. Then they’ll provide the details of the vulnerability and, once you’ve fixed it, verify the vulnerability is gone and mark it as fixed.

They pay people to find vulnerabilities. They verify the vulnerabilities and then publish them. And the Solid Security plugin (which I also use) subscribes to their service.

Sounds like it’s an actual vulnerability though.

Good luck!

Thank you for responding. I used method #1. Also, to clarify, after making a change to robots.txt via the plugin:

• The root-level virtual robots.txt was unchanged
• The subdirectory robots.txt (pointed to by the plugin) didn’t exist

I made sure to clear caches and do a hard refresh when checking.

I let it run a couple weeks and it looks good. None of those messages in the error log.

Okay, I found the “Recover Old Sliders” menu option. It didn’t work and erased all the slides, but I found it. So I guess that answers all my questions. Marking as resolved.

• This reply was modified 2 years, 3 months ago by Chad Cloman. Reason: wording change

I changed the metadata database entries for “ris_all_photos_details” to use the WordPress serialized information instead of the double-serialized information that had been there. This now prevents the slider from crashing the page.

However, the sliders image placeholders are gray and don’t show the images themselves. Is there something else I need to modify?

I suggest putting in some error-handling code to see if the result of each get_post_meta() call in layout.php is a string or an array. That way you could exit gracefully instead of crashing the page with a message that WordPress is broken. Here’s something like what I’m thinking:

$URIS_All_Slide_Ids = get_post_meta( get_the_ID(), 'ris_all_photos_details', true);
if (!is_array($URIS_All_Slide_Ids))
  $URIS_All_Slide_Ids = [];
$TotalSlideIds = count($URIS_All_Slide_Ids);

I’m making the assumption that the rest of the script would work with no metadata and a count of zero, but this is just an example off the top of my head. You get the idea. It’s the count() call that crashes the script, because it’s expecting an array and is getting a string.

• This reply was modified 2 years, 3 months ago by Chad Cloman.

Also, if your functions.php doesn’t already have it, place this line at the very top:

<?php

• This reply was modified 2 years, 3 months ago by Chad Cloman.

I think it may have been a copy/paste issue. I had a difficult time copying it from that code block because the scroll bar at the bottom covered the last line. Let me try it this way, with comments to make the copy/paste easier:

// Begin
function my_fix_event_schema($graph, $context) {
  if (!is_array($graph)) return $graph;
  $newgraph = [];
  foreach ($graph as $one) {
    if (strcmp($one['@type'], 'Event') === 0 && !isset($one['performer'])) {
      $one['performer'] = new \stdClass();
      $one['performer']->{'@type'} = 'Person';
      $one['performer']->name = (isset($one['organizer']->name) ? $one['organizer']->name : 'Unknown');
    }
    $newgraph[] = $one;
  }
  return($newgraph);
}

add_filter('wpseo_schema_graph', 'my_fix_event_schema', 9999, 2);

// End

• This reply was modified 2 years, 3 months ago by Chad Cloman.
• This reply was modified 2 years, 3 months ago by Chad Cloman.
• This reply was modified 2 years, 3 months ago by Chad Cloman.

Thank you for the solution and the rollback link!

Will be interesting to see how long it takes the folks at ExpressTech to realize they have a problem.

Or maybe they already know and this was done on purpose as an attempt to get us to pay for the pro version?

Outstanding! Thank you.

Excellent. Thank you for the quick response!

This issue was caused by either (1) Jetpack wasn’t working, or (2) I have the site directory password protected via .htacess. It’s working now. Marking as resolved.

Thank you! That was the problem. I removed the directory password protection and the setup worked.

Thank you for responding.

The site is https://www.sa.org/wsandbox, but you won’t be able to access it because the directory is password-protected.

Yes, tried that too but forgot to mention it here. Disabled all plugins. Activated Jetpack. Same problem.

• This reply was modified 5 years ago by Chad Cloman.

The message has gone away, so that’s good. But the import still churns away forever.

Just in case it was my browser, I used the Microsoft Edge beta, which has never been to either of the domains specified here (sa.org and wordpress.com).

Still didn’t work. So it’s probably not browser-related.

• This reply was modified 5 years ago by Chad Cloman.