syzygist

The threat report, as linked above by EigenWijsheid, shows that the vulnerability exists through version 3.6, and has not been patched.

I restored the plugin files I had removed, updated to version 2.1.5, and ran a Wordfence scan. The scan did not flag the new version as vulnerable. However, the vulnerability report link I posted above has not been updated to mention the new version and identify it as a patch. You may wish to contact them about that.

According to the threat report linked below, version 2.1.1 did NOT correct the vulnerability, nor did 2.1.2, 2.1.3 or 2.1.4. As of yesterday (11/7/23), the threat report indicates all updates through 2.1.4 failed to correct the vulnerability, and no effective patch has been released. The lack of transparency on the status of this plugin does not reflect well on the plugin author. Misinforming users about the safety of the plugin puts sites at risk, which is unacceptable.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gallery-videos/video-gallery-youtube-gallery-202-authenticated-administrator-sql-injection

Treebeard – I am going to have to start recommending a switch to my clients as well. Paywalling functionality so that the tech admin is harassed with irrelevant email is a very poor marketing strategy. I’m also pretty unimpressed that my query was marked as “resolved,” when it is no such thing. Giving plugin developers the ability to unilaterally decide when a support issue is resolved (regardless of whether the OP thinks so) just begs for abuse, and has rendered support statistics untrustworthy and therefore meaningless. But luckily, there are plenty of other analytics options to choose from.

The technical administrator for many sites is not the same person who manages content (and therefore SEO). Therefore paywalling the option to have the summaries sent to someone other than the site admin is a bad decision for site admins and for your company alike. Many admins – especially those who manage multiple sites and get deluged with multiple copies of the summary – will simply turn it off and/or mark it as spam if they aren’t able to direct it elsewhere in the plugin, and the person who would actually be making the payment decision for an upgrade will never see it. Is that what you want?

I’d keep it with admins. Contact form setup is not for beginners.

Thanks for your swift and thoughtful response.

It doesn’t need to be view only. It makes sense that an employee managing messages would be able to delete messages, delete selected, send the message list, and export to CSV. And BTW, if it were possible to add the timestamp of the message to the date, that would be very helpful. Being able to send a selected message or messages to the entered email address would also be a very handy feature, allowing the employee to redirect messages directly from WordPress. An employee probably shouldn’t be able to upgrade, however. That is something that would more usually be managed by a site admin.

In many businesses, the employee who manages contact form messages is of relatively low authority in the company, and is not otherwise involved with the website (nor authorized to make purchases). The Contributor role isn’t a perfect fit for this scenario, as it permits access to some other things which would be better restricted to site admins.

Therefore a unique user role specific to your plugin, similar to your Event Manager screenshot, would probably be a better solution for typical business use than piggybacking on a native WordPress role. It would also be useful for site admins of blogs configuring safe permissions for an inexperienced site owner.

Apparently I can’t send a screenshot since they have switched this forum to the block editor. But I don’t think the date format is the issue, since the date it showed the first time I re-authenticated on Sept 6 was 11/09/23, so why would it switch date formats upon a second attempt the very next day? It showed a reauthentication date of 11/09/23 on Sept. 6. Does it make sense that it would suddenly switch date formats and show a date of 06/11/23 on Sept. 7th? Even if it did switch date formats for some reason, and you assume Nov. 6th was really meant the second time, why would it give me a reauthentication date 3 days EARLIER on Sept. 7th than it gave me on Sept. 6th? Wouldn’t the reauthentication date be 1 day later?

The reauthentication process would be a lot clearer if the link in the banner took you to the Connection tab where reauthentication happens, rather than to the Sharing Options tab. But you have not addressed my concern about the Connections tab now showing that my next authentication date is 2 months in the past instead of 2 months in the future.

I have the same question. Wordfence has identified it as abandoned. If you’re going to stop supporting it, you could at least add an export function so we can paste controls we have created into our Additional CSS without having to manually research and re-create each one. That’s a lot of work to put 200,000 active users through. And hitting us with an ad for your new theme is an especial slap in the face (and really poor marketing tactic) when it appears to be at the expense of the plugin we have already spent a lot of time configuring.

I will send it to the email address on your profile – prefer not to post it. Thanks for taking a look.

Many thanks for your response – much appreciated!

This is what happens when plugin authors change a file in the repo without releasing an updated version of the plugin like they are supposed to. Wordfence perceives it as a file change on the user end and therefore flags it as suspicious. I would guess they forgot to update the tested-with-WordPress version in the update to 1.6.2 of the plugin, and uploaded an edited classic-editor.php file after the update, since all my sites that auto-update plugins are showing the current plugin version, but with a non-updated classic-editor.php file.

Usually the tested-with-WordPress version is in a txt file, but in this case it’s in an executable file, which is even more problematic. I have had to go in and manually update the file on over a dozen sites, which was not my plan for my Saturday. Please don’t skip the proper process again. It causes concerning false alarms to thousands of people.

Wordfence is continuing to flag the free version of the plugin as critically vulnerable and advise removing until the vulnerability is resolved. I got exactly the same results as banijadev posted this evening on 11/2/22. If they are in error, perhaps you should let them know.

I tested this morning in 3 different browsers (FireFox, Chrome, and Edge), using different .net email addresses for each one. All 3 went though, displaying the confirmation message, showing up in the dashboard submissions list, and emailing to the admin address. However, in FireFox, after I had solved the equation, entered my message and submitted, the form did not clear, except the equation field, which was cleared and had a new equation to solve, but was not highlighted, so I easily could have missed that if it hadn’t occurred many times before so that I knew to check for it.