Critical Security Warning for the Plugin

  • Resolved christian2019e

    (@christian2019e)


    2 years, 9 months ago

    Hey i get the following warning on my website:
    Access violation vulnerability in wpDataTables – WordPress Tables & Table Charts Plugin 3.4.2

    • Severity: high-risk
    • Status: Fixed
    • Publication: March 16, 2021

    The wpDataTables – Tables & Table Charts premium WordPress plugin before version 3.4.2 had a security vulnerability that allowed someone with lower privileges to access data stored in a table that was published on a page. This was possible by tampering with the parameters in a way that allowed them to take over the permissions of the user who created the table, by using a formdata[wdt_ID] parameter. This allowed the attacker to access and manage data of all users in the same table. This vulnerability only affected the premium version of the plugin, and not the free version.

    I use the plugin now for a long time and i have my updates automated now i checked why i get this warning and i see that the plugin is still on version 2.1.66 is there a reason that i got no updates for the Plugin.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author wpDataTables

    (@wpdatatables)

    2 years, 9 months ago

    Hello, 

    The vulnerability was found in the full version of wpDataTables v3.4.1, so all premium versions before that can be affected.

    Lite version does not have these functionalities (such as SQL based tables), so Lite version was never affected. Those reports are not related to the Lite version, but they can be reported in the lite version because the resources where this information about themes or plugins vulnerabilities are stored are generated by the theme or the plugin slug. Those slugs are the same in both lite and the full version, and because of that, you get those notifications.

    The important thing is that there’s nothing to worry about. Newer versions of the wpDataTable premium don’t have these issues, ( the latest one is 5.8.1​)

    and Lite versions never did.

    Unfortunately, until wpDataTables Lite goes above version 3.4.2 these reports will indicate a false positive. The lite and the full version have the same slug (wpdatatables), and that’s why the security plugins can’t differentiate between the versions.

    I hope this helps, do let us know if you need any further information.

    ​Kind regards.

    Thread Starter christian2019e

    (@christian2019e)

    2 years, 9 months ago

    OK that sounds good.
    So the lite version is currently on 2.1.68 and thats why i cant update. Thanks

    Plugin Author wpDataTables

    (@wpdatatables)

    2 years, 9 months ago

    Hello,
    No problem, we are happy to advise.
    Yes, that is correct. For the moment, the latest Lite version is 2.1.68,
    so unfortunately, there is still that ‘false positive’ report coming from the Security Plugins since they are not able to differentiate our Lite from Premium versions,
    because they have the same name for the ‘slug’ (wpdatatables),
    thus until wpDataTables Lite goes above version 3.4.2 these reports will indicate a false positive.
    We are sorry for that inconvenience.
    Thank you for understanding,
    please don’t hesitate to open new posts if you notice anything else we might help with.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Critical Security Warning for the Plugin’ is closed to new replies.