Security Vulnerability

Resolved jimk1416
(@jimk1416)

2 years, 5 months ago

Wordfence is reporting:
Critical Problems:
* The Plugin “New User Approve” has a security vulnerability.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/new-user-approve/new-user-approve-251-cross-site-request-forgery-via-admin-notices

Can this be resolved?

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Support Mirza Hamza
(@hamza1010)

2 years, 5 months ago

Hello @jimk1416,

Thanks for contacting us,

Hope you are doing well, We’ve informed our technical team about your issue, and they will work on it promptly. When we receive their response, we will get back to you. Our team is here to assist you.

Thanks & Regards
WP Experts Support Team

Thread Starter jimk1416
(@jimk1416)

2 years, 5 months ago

Thank you for the prompt response. Much appreciated.

Plugin Support Mirza Hamza
(@hamza1010)

2 years, 5 months ago

Hello @jimk1416,

Yes, the fix has already been published in the currently live version 2.5.2. Please update the plugin to the latest version (2.5.2). You can also check the patch confirmation on Wordfence at [New User Approve <= 2.5.1 – Cross-Site Request Forgery via admin_notices — Wordfence Intelligence ] and on Patchstack at [WordPress New User Approve plugin <= 2.5.1 – Cross-Site Request Forgery (CSRF) vulnerability – Patchstack ]. This confirms that the fix has already been implemented.

Please have a look at the screenshot below:

https://ibb.co/nLRpjjF

https://ibb.co/2Ywj6Nw

Let us know if you still have any questions feel free to reach out.

Thank you

Thread Starter jimk1416
(@jimk1416)

2 years, 5 months ago

Hey @hamza1010

Thanks for the quick fix.
monkeydluffy
(@monkeydluffy)

2 years, 4 months ago
Hello,

Thanks for the support. But it seems the vulnerability is still present in the 2.5.2 version.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/new-user-approve/new-user-approve-251-cross-site-request-forgery-via-admin-notices

“Description

The New User Approve plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the admin_notices function. This makes it possible for unauthenticated attackers to dismiss admin notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
“

With kind regards,
- This reply was modified 2 years, 4 months ago by monkeydluffy.
Plugin Support Mirza Hamza
(@hamza1010)

2 years, 4 months ago

Hello @monkeydluffy,

As mentioned earlier, this issue has already been fixed in version 2.5.2, and you can confirm this through Patchstack, as they originally identified it. We are working with Wordfence to resolve this. Additionally, we have made some code improvements and are going to release the plugin. Please check this as well.

If you have any questions, feel free to reach out. We’re here to assist you.

Thank you

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Security Vulnerability’ is closed to new replies.