Darius Sveikauskas (FX)

I got confirmation from the triage team, recently released version 1.0.12 has a sufficient patch. Thank you!

Great, I’ll ping the triage team so they can validate the patch asap.

@sormano check your Slack DMs on the official WordPress Slack.

@sormano , a message with all the information was sent via the contact form on your website on 2024-07-01 at 13:10:32 (EEST). Since we got zero replies and no patched version was released, the vulnerability was disclosed.

@elementoraddonswpr @igoramatuzzi, the vulnerability is real. The vendor provided the link to a new patched version. Soon, we will validate the patch provided to us, and I hope it is valid. The timeline below explains the situation better:

2022-12-13 – issue reported to the vendor.
2023-08-22 – disclosed to the vulnerability database.
2023-08-25 – the vendor replied and said that would fix the issue.
2023-08-26 – the vendor replied and said he couldn’t reproduce the issue.
2023-08-28 – the vendor got a technical explanation of what is still wrong.
2023-08-29 – the vendor provided a link to the new patched version, and we will check the patch soon.

If you have any questions, please let me know ??

@mdtareqhassan @suzannap sorry for this, it’s a false-positive indication. We marked those database entries as non-published for further investigation. The problem is that some plugins had specific tags that are indicating usage of Freemius WordPress SDK. There are about 1,5K plugins/themes that are using Freemius so purely manual inspection is not an option, and as we see now automatic identification might give some wrong results. Once again sorry for the mess, we just trying to make the WordPress ecosystem safer and help the community. Thank you for letting us know about the error ??

Hello, the database entry is updated, vulnerability is patched. It would be great if the author would respond to messages because there’s still no reply to the email we sent him on 2022 October 4. Thank you.

@rickardw I dropped you the information via email.

• This reply was modified 1 year, 9 months ago by Yui.
• This reply was modified 1 year, 9 months ago by Darius Sveikauskas (FX).

Yossi, hackers, usually modify this file because it is one of those files continuously used by WordPress. The header.php, footer.php files of the currently active template are also frequently used for the same purpose – to load a malicious code for every website visitor.

Hello Chris,

1. Yes, I do understand that if you want reports on your dashboard, you need to give access. However, there are a few problems:

a) a user must provide access to Monsterinsights not for the application that runs on his server it means Monsterinsights acts like a middle man and access all the information;
b) not everyone needs reports in the WordPress dashboard and eliminating the manual input of the ID makes it unusable for such users.
c) now making the basic Analytics setup on the freshly developed customer website is impossible, now you need to involve your customer in the whole setup procedure.

2. I was shocked when I saw popups on your site that shows who and from what location just bought your premium service plan. Privacy? No?

3. Have you heard anything about the GDPR? I guess not.

I was using this plugin (Google Analytics by Yoast) before your company acquired it so trust me I saw all the evolution steps of this product and I’m disappointed.

Hello, I’m so sorry, we had some support issues. Hope you enjoy this plugin. Thank you.

Hello, current version supports only plain text, but we considering to change this in next plugin release. Thank you.

Hello, I would suggest using proper dedicated testimonials plugin for this task ??

Hello, sorry for the delay. We are working on the next version of the plugin, and we will fix this issue Thank you.

We have added this feature to our development schedule, but we can’t promise this feature in the next release. Thank you.