Jared

Thank you for following up @sjonespl16 !

It sounds like the specific version of ThemeREX you’re using was a patched one but earlier than 1.70.3.1. I will look into adding the previously patched specific version for you and we’ll see if that resolves the situation. I will update here again once that’s ready.

Hello @sjonespl16 !

I am on the Protect / Scan team at Automattic. Thank you for the details you’ve shared regarding your situation. After evaluating, we have updated the vulnerability information to now reflect that it is fixed in versions 1.70.3.1 and greater.

If your theme is using a version of the plugin that is greater than 1.70.3.1, then the threat notification should go away. The vulnerability was also patched on select older versions. Allowing for time to reflect the change, please let us know if the notification has been cleared. Otherwise, we can look into adding the specific fixed version or otherwise removing the notification for you.

• This reply was modified 1 year, 1 month ago by Jared.

Hello Adam!

I can definitely understand the concern and frustration you are experiencing with this. Unfortunately, using the same slug for multiple plugins (free and paid) is not advisable – especially so when they use separate versioning. WPScan does not yet support this sort of a setup as the system has no reasonable way to discern or report on the two independently.

Once the paid plugin has been resolved and the version is bumped, the plugin fix will be reviewed and the report updated. However, as you’ve noted the free version is lower than the paid, so those versions will still have the vulnerability reported.

Jared
Code Wrangler @ Automattic