Plugin Author
Brecht
(@brechtvds)
Hi there,
This is about a vulnerability that was fixed back in September, so it’s unclear to me why this is suddenly resurfacing. I have contacted Patchstack, but as far as I can tell, this is not a problem anymore.
Kind regards,
Brecht
Many thanks for the quick reply Brecht.
Please update when you know more.
Thanks
It looks like vdp.patchstack.com has uprated the severity.
Now high priority with a rating of 7.5
“This vulnerability is highly dangerous and expected to become exploited.”
Are you able to shed any more light on this please?
Plugin Author
Brecht
(@brechtvds)
I understand your concern, but I strongly disagree with that assessment and do not understand where they are coming from. I emailed them last week with the proof that it was already following WordPress standards and this particular exploit had already been fixed. They stopped responding for some reason.
2 days ago I uploaded an additional patch to them, which would further lock things down (even though it was already solved back in September, as far as I can tell), but they have not reviewed that yet.
In any case, the only actual risk (according to them) right now is that another logged in user (so someone that you have already given access to the post editor) can search for posts through Custom Related Posts and see the name of a draft or private post that they did not write. It’s really not a major security risk, in my opinion.
Thank you very much for the update. It’s very helpful to also know the extent of the risk. I agree with you – not exactly earth shattering.
Plugin Author
Brecht
(@brechtvds)
Hi again,
Just wanted to let you know that Patchstack has confirmed this as fixed as well!
Kind regards,
Brecht
Thank you very much for the update.
Excellent comms from you. Much appreciated 🙂
Plugin Author
Brecht
(@brechtvds)
Thank you for your donation! That was not necessary, but definitely appreciated.
Brecht
