Version 1.35

  • Resolved webmasterahora

    (@webmasterahora)


    21 hours, 40 minutes ago

    I hope you’re doing well.

    I’m reaching out because during a routine security review of my WordPress site, I received a notification regarding certain aspects of the current version of the plugin (v1.35) that might require immediate attention to keep my site secure.

    After reviewing publicly available information, I understand that versions prior to 5.39 of the plugin (in its PRO version, which shares the same slug) may have important areas that need improvement. My installed version (1.35) appears to be older than the corrected version.

    I would greatly appreciate it if you could confirm the following:

    1. Do you have a planned release date for an updated, patched version of the free “Advanced Google reCAPTCHA” plugin (or clarification on whether version 1.35 is affected)?
    2. If so, could you provide an estimated timeline for that release?

    My goal is to keep the plugin active because it’s very useful for my site, but security is my top priority. If the update is going to take a while, I will evaluate temporary measures.

    Thank you very much for your time and for your excellent work.

    I look forward to your response.

    Best regards,

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support Gordan

    (@gordano)

    18 hours, 33 minutes ago

    Hi,
    As Wordfence clearly shows, the issue was ONLY with the pro plugin, and it was patched instantly quite some time ago: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-google-recaptcha/wp-captcha-pro-538-missing-authorization-to-authenticated-subscriber-arbitrary-file-upload

    For some reason, the free plugin, which is 1.x (pro is 5.x), is now getting flagged as problematic simply because it shares the slug and it’s <= 5.38. Again, the free version did not have and does not have any known vulnerabilities. Are there any? Well, like any piece of software – probably. But known ones – no.

    What’s being done? We aligned the version numbers for free and PRO and will keep them this way to avoid any future concerns. If there was a real issue, we would have already patched it 10 times. But this whole situation is just a false positive (for the free plugin).

    Thread Starter webmasterahora

    (@webmasterahora)

    18 hours, 24 minutes ago

    Thank so much!! 👍

    evildoer

    (@evildoer)

    18 hours, 21 minutes ago

    Thank you for the clarification.

    Plugin Support Gordan

    (@gordano)

    18 hours, 19 minutes ago

    👍 I hope the version bump is the end of this and we can all move to more productive things 🙂

    evildoer

    (@evildoer)

    17 hours, 52 minutes ago

    Um. Uh. Where do I find the update ?

    It’s not showing up in the wordpress admin change log.

    evildoer

    (@evildoer)

    17 hours, 34 minutes ago

    Aight. That went over my head. There is no “normal” update – per see – as you just changed the version number to match.

    Thank you ladies and gentlemen…. I’m here all week.

    Plugin Author Alexandru Tapuleasa

    (@talextech)

    16 hours, 6 minutes ago

    Yes, we just bumped the version to align it with the PRO version as while the free version was never affected by this vulnerability, scanners were reporting it as being affected because it uses the same slug and had a 1.x version, which is lower then 5.38 reported by the CVE.

    But to make it clearer, at no point was the free version vulnerable and PRO was updated within 24h of the internal disclosure, 2 months before Wordfence made the vulnerability public.

Viewing 7 replies - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.