Hi @inveress, thanks for the report on this.
Our Threat Intelligence team has just taken a look at this. The Pro version was reported as “vulnerable < 2.24.0”, instead of the free version. The record now reflects the correct free and premium version affected ranges.
Peter.
Bob
(@boblindner)
I’m also receiving a few security vulnerability emails that seem wrong. The “Vulnerability Information” link 404s at cve.org and when I search for the CVE number it’s pretty old. Have received about a dozen from several sites so far including:
- The Plugin “TablePress” has a security
- The Plugin “Responsive Lightbox” has a security vulnerability.
- The Plugin “Ninja Forms – File Uploads” has a security vulnerability.
- The Plugin “WP Super Cache” has a security vulnerability.
- The Plugin “Admin Columns Pro” has a security vulnerability.
Same issue here. TablePress 1.14 is getting reported as vulnerable because of CVE-2019-20180 which was for TablePress 1.9.2. This only started appearing recently, so something changed.
Thanks @wfpeter. Is the general issue here that vulnerabilities are raised in CVE and then never closed off, resulting in old problems being seen as ‘current’?
Tobias, the author of TablePress, for example, did not attend to the TablePress CVE vulnerability as he did not see it as a problem with TablePress specifically (and he’s correct, I think, if I understand the issue correctly). I assume this would mean the “vulnerability” will never be “fixed”, as far as CVE is concerned. Would this mean that we’ll be continaully warned about it?
Thanks, Peter.
The 2019 CVE says that it applies to TablePress versions up to and including 1.9.2. Why would Wordfence invoke a CVE for a version that is newer than the affected versions in the CVE?
This is starting to be anoying. For 3 years now there was no issue, but now WF decides TablesPress 1.14 has a critical vulnerability, although the CVE says it’s upto v1.9.2.
Hi @inveress,
The Tablepress plugin does have an active risk of a CSV Injection. All versions are vulnerable including 1.14. Our team is in contact with the developer and has explained the inherent risks of the vulnerability. The vulnerability is not critical as it has a very low chance of being exploited but it is still a valid security issue. It’s Wordfence’s job to alert our users to these vulnerabilities. We don’t try to guess if those users might be compromized as a result of the vulnerabilities or not.
When an old vulnerability has been patched, we only warn when the customer is using that version of the plugin to advise that they should update. If a plugin does have a CVE ID issued, we’re not the entity that decided it was a valid vulnerability but will alert our customers to it.
Thanks,
Peter.
