Security Vulnerability

  • Resolved dmosse2000

    (@dmosse2000)


    2 years, 9 months ago

    I received the following from WP Engine:

    Hello,

    At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified your site(s), davidedelstein dmestaging1, is (are) utilizing a vulnerable version of the WP 404 Auto Redirect to Similar Post plugin.

    At this time, we are not seeing that the plugin author has released an update or patch for this vulnerability.

    WP Engine summary of the vulnerability: Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

    Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: 
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40206
    https://wpscan.com/vulnerability/2faa40be-82c6-4e2f-9b4d-fc8ea9a136dc

    We encourage you to assess the risk of continuing to use this plugin until a patch is released.

    Please make sure to run a backup of your database before making any changes. You can learn how to do this in this article: http://wpengine.com/support/restore/ .

    Would you like to avoid doing these updates manually in the future? Add the Smart Plugin Manager to your plan today!

    Finally, feel free to reach out to our Support team at any time if you have any questions!

    Thanks
    -WP Engine Security Team

Viewing 1 replies (of 1 total)
  • Plugin Author Konrad Chmielewski

    (@hwk-fr)

    2 years, 4 months ago

    Hello!

    The issue has been fixed in the latest 1.0.4 version. Please update to the latest version to fix it.

    The message you received from WP Engine is probably automatically sent by their security system, and they didn’t have the full details of the vulnerability (since it was private). The issue wasn’t as alarming as it sounds.

    In short, you had to be an administrator and add a custom script by yourself in the plugin’s settings area in order to exploit the vulnerability.

    This is why the security report was marked as “Medium” security risk, instead of “High” security risk.

    Thanks!

    Regards.

Viewing 1 replies (of 1 total)

The topic ‘Security Vulnerability’ is closed to new replies.