security risk reported by WP Engine | ww.wp.xz.cn

Resolved lilian9888
(@lilian9888)

3 months ago

XML Sitemap Generator for Google <= 4.1.22 is vulnerable to Access Controls

Severity: low (5.3)

Exploited: No

Fixed in: No fix yet

Security risk: access controls. This vulnerability allows any unauthenticated user to perform actions that only an administrator should be allowed to do.

Viewing 4 replies - 1 through 4 (of 4 total)

deejmer
(@deejmer)

3 months ago

This is very worrisome. Pretty sure our website was hacked last time this plugin had a security vulnerability.

Plugin Author Frederick Townes
(@fredericktownes)

3 months ago

The latest release already addresses the issue, which is as reported, low severity. We have another patch with additional measures that the security groups have finally finished reviewing, so that security monitoring services will hopefully quickly acknowledge.

Stuey
(@sirstuey)

3 months ago

I have been seeing this through Jetpack’s security scan as well.

Jetpack says it’s due to WPScan sourcing the vulnerability via Patchstack.

Patchstack still has it listed as “no official fix available,” and says that <= 4.1.22 are impacted. That’s probably why various security checks and scans are still screaming at everyone.

https://vdp.patchstack.com/database/Wordpress/Plugin/google-sitemap-generator/vulnerability/wordpress-google-xml-sitemaps-plugin-4-1-21-broken-access-control-vulnerability

@fredericktownes , thank you for continuing to work through this – as annoying as the security alerts have been, it sounds like you’re going through a significant hassle.

Plugin Author Frederick Townes
(@fredericktownes)

3 months ago

You’re welcome! Thanks for your patience @sirstuey.

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

6 replies
4 participants
Last reply from: Frederick Townes
Last activity: 3 months ago
Status: resolved