Forum Replies Created

Viewing 15 replies - 1 through 15 (of 21 total)
  • Thread Starter tschopo

    (@tschopo)

    Thank you for acknowledging my feedback, but I find your response deflects the severity of this situation.

    Firstly, ranking #5 among WordPress plugins with the most vulnerabilities in a popular vulnerability database is telling on its own. Just this year, this plugin has experienced three critical vulnerabilities—demonstrating a pattern of insufficient code sanitation, which is a basic security practice, not rocket science.

    The issue is clearly not limited to “potential” exploitation; my case proves these vulnerabilities are actively being exploited in the wild. In fact, shortly after my review, another remote code execution vulnerability emerged, despite your claims of heightened prioritization and rapid patching. The fact that I had automatic updates enabled underscores that patches are coming too late.

    It’s frustrating that you’re downplaying this by framing it as “inevitable” for widely used software. Contrary to your implication, many popular software products remain secure without repeated critical issues.

    Your focus seems entirely on reacting to vulnerabilities after they’re discovered and damage control, rather than proactively preventing them through regular, rigorous code audits. Start by hiring programmers that know what they’re doing.

    This isn’t simply about communication; it’s about delivering a secure product from the start.

    Thread Starter tschopo

    (@tschopo)

    Nice! I did not see this feature when reviewing Taxoterms-Pro ??

    Thread Starter tschopo

    (@tschopo)

    Yes that is correct, for webp URLs the Vary header does not have to be set.

    The Plugin developers of German market state that it is a problem on your side: They use the WooCommerce-Hooks woocommerce_find_rates and woocommerce_rate_percent to modify the tax rates.

    Thread Starter tschopo

    (@tschopo)

    I did not see that it is done this way. Your solution is better.

    Thread Starter tschopo

    (@tschopo)

    cool! I like the solution (redirecting to base url if fbclid). But if I share

    https://test.kinder-verstehen.de/mein-werk/blog/neues-zum-plotzlichen-kindstod-sids/?print=1

    In this case, I don’t want to be redirected to base. Maybe a better approach is:

    RewriteEngine on
    RewriteBase /
    RewriteCond %{QUERY_STRING} ^(.*)&?fbclid=[^&]+&?(.*)$ [NC]
    RewriteRule ^(.*)$ /$1?%1%2 [R=301,L,NE]

    In that case https://test.kinder-verstehen.de/mein-werk/blog/neues-zum-plotzlichen-kindstod-sids/?print=1&fbclid=xxx gets redirected to https://test.kinder-verstehen.de/mein-werk/blog/neues-zum-plotzlichen-kindstod-sids/?print=1 and https://test.kinder-verstehen.de/mein-werk/blog/neues-zum-plotzlichen-kindstod-sids/?fbclid=xxx gets redirected to https://test.kinder-verstehen.de/mein-werk/blog/neues-zum-plotzlichen-kindstod-sids/

    • This reply was modified 6 years, 4 months ago by tschopo.
    Thread Starter tschopo

    (@tschopo)

    https://www.kinder-verstehen.de/mein-werk/blog/elternschule-therapie-in-not/?fbclid=IwAR2HzYf8-pR6fLaMMLcNiC824

    I ran some more tests (reset browser cache after each test), and with a random parameter the webpage takes more than twice as long to load.

    • This reply was modified 6 years, 4 months ago by tschopo.
    Thread Starter tschopo

    (@tschopo)

    When I add the parameter my pages take 1000ms longer to load (compared to no query, both loaded without browser cache). That led to my assumption that these aren’t loaded from cache. So maybe there is a different cause for this.

    Thread Starter tschopo

    (@tschopo)

    Ja, ich habe das Website Feld entfernt. Folgenderma?en:

    
    		$commenter = wp_get_current_commenter();
    		$req = get_option( 'require_name_email' );
    		$aria_req = ( $req ? " aria-required='true'" : '' );
    		$fields =  array(
    		  'author' =>
    		    '<p class="comment-form-author"><input class="comment-input" type="name" placeholder="Name *" id="author" name="author" tvalue="' . esc_attr( $commenter['comment_author'] ) .
    		    '" size="30"' . $aria_req . ' /></p>',
    		  'email' =>
    		    '<p class="comment-form-email"><input id="email" class="comment-input" name="email" type="email" placeholder="E-Mail-Adresse * (bleibt privat)" value="' . esc_attr(  $commenter['comment_author_email'] ) .
    		    '" size="30"' . $aria_req . ' /></p>',
    		);
    		$args = array(
    				'comment_notes_before' => '',
    				'comment_field'        => '<p class="comment-form-comment"><textarea id="comment" name="comment" class="comment-input" cols="45" rows="8" aria-required="true" placeholder="Kommentar *"></textarea></p>',
    				'title_reply'          => '',
    				'title_reply_to'       => 'Antworten',
    				'class_submit'         => 'submit comment-submit',
    				'fields'               => apply_filters( 'comment_form_default_fields', $fields ),
    				'label_submit'      => 'Ver?ffentlichen',
    		);
    		comment_form($args);
    

    Mich wundert, dass andere User kommentieren k?nnen.

    Hier eine Beispielseite mit Kommentarfeld: https://test.kinder-verstehen.de/mein-werk/artikel/wie-werden-kinder-selbststaendig/#comments

    Thread Starter tschopo

    (@tschopo)

    Neueste Version des Plugins. Ja, das passiert auf meinem eigenen Blog, wenn ich angemeldet bin. Andere Nutzer k?nnen posten, auch wenn sie sich an meinem Computer anmelden. Einstellungen standart, au?er “IP-Adresse Validieren” deaktiviert.
    Es passiert auch wenn alle Spamkommentare gel?scht sind (lokale Spamdatenbank leer).

    Thread Starter tschopo

    (@tschopo)

    Ah stimmt. AJAX war der falsche Begriff. Ich meinte das Bild erst laden wenn die Seite geladen ist.

    Also ich mach das im Moment so, dass ich das src vom Z?hlpixel austausche nachdem die Seite geladen ist. Bis dahin halte ich ein transparentes 1px-Bild vor.

    Mein Filter sieht so aus:

    function kv_customize_vgwort_marker($output, $marker) {
    
      $output = '<img src="data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=" width="1" height="1" alt="" data-src="https://'.$marker['server']."/".$marker['public_marker'].'" style="display:none" class="dynamic-image" />';
    
      return $output;
    }
    add_filter('wp_vgwort_frontend_display','kv_customize_vgwort_marker',10,2);
    

    Und mit Javascript:

    jQuery(document).ready(function($){
      $('.dynamic-image').each(function(){
        $(this).attr('src', $(this).attr('data-src'));
      });
    }
    Thread Starter tschopo

    (@tschopo)

    Sehr sch?n, danke. Ich kann mir auch vorstellen, dass es mehr User gibt die von AJAX profitieren würden.

    Thread Starter tschopo

    (@tschopo)

    Also ich hab das manuelle hinzufügen ausprobiert, allerdings bekomme ich die Fehlermeldung:
    Es wurde keine Z?hlmarke entsprechend Ihrer Vorgaben gefunden. Die Z?hlmarke muss ggf. zun?chst importiert werden. Z?hlmarken hier importieren.

    Die Z?hlmarke ist jedoch schon importiert.

    edit: achso, man muss nur die ?ffentliche Z?hlmarke eintragen. das feld für private Z?hlmarke frei lassen. Jetzt funktionierts!
    edit2: achso, mein export script hatte ein fehler und hat private und ?ffentliche schlüssel vertauscht… deswegen der fehler.

    • This reply was modified 7 years, 1 month ago by tschopo. Reason: jetzt funktionierts
    • This reply was modified 7 years, 1 month ago by tschopo.
    Thread Starter tschopo

    (@tschopo)

    Ja, das hilft weiter. Ich kann leider nicht die Datenbank kopieren, da 2 Websites miteinander verschmolzen wurden (die Posts wurden mit der WordPress import Funktion übertragen). Es sind nur ~40 Posts mit Z?hlmarken, die würde ich manuell einfügen (ich wusste nicht dass das geht).

    Danke!

    Thread Starter tschopo

    (@tschopo)

    If every plugin adds huge libraries (with bad dependency handling), this leads to a bloated slow website.

    I wrote my own form handler (~50 lines of js, with nice display of response messages, ajax, spam protection and error handling). the default form also seems to be buggy? For example it doesn’t detect if subscriber is already subscribed.

    • This reply was modified 7 years, 1 month ago by tschopo.
Viewing 15 replies - 1 through 15 (of 21 total)