Vulnerabilities in Permalink Manager Plugin | ww.wp.xz.cn

Resolved bharathiviswa
(@bharathiviswa)

3 years, 3 months ago
Hi

I have using permalink manager plugin in my wordpress site, recently I had reported that disclosure vulnerabilities in t/index.php.

Issue Link:Mydomain/t/index.php?action[]=aaa

The issue: “Warning: strpos() expects parameter 1 to be string, array given in /home/customer/Mydomain/public_html/wp-content/plugins/permalink-manager/permalink-manager.php on line 352”

The reported PHP line 352 : “if((!empty($_REQUEST[‘action’]) && strpos($_REQUEST[‘action’], ‘elementor’) !== false) || isset($_REQUEST[‘elementor-preview’])) { return; }”

Note: If we remove the permalink manager plugin, the issue is solved( but we need permalink plugin). The permalink plugin version is 2.2.8.4. The PHP line which shows issue is a default plugin code.

Please solve the issue, I need permalink manager without this disclosure vulnerability for my site.

Thanks!
- This topic was modified 3 years, 3 months ago by bharathiviswa.
- This topic was modified 3 years, 3 months ago by bharathiviswa.

Viewing 1 replies (of 1 total)

Plugin Author Maciej Bis
(@mbis)

3 years, 3 months ago

Hi @bharathiviswa,

Thank you for reporting this problem. To prevent this warning from being displayed, there needs to be an additional condition (is_string()) added to the “if” clause:
https://plugins.trac.ww.wp.xz.cn/changeset/2865284#file1

if ( ( ! empty( $_REQUEST['action'] ) && is_string( $_REQUEST['action'] ) && strpos( $_REQUEST['action'], 'elementor' ) !== false ) || isset( $_REQUEST['elementor-preview'] ) ) {

To resolve the problem, please either update the plugin to 2.3.1 version or apply the change manually.

Best regards,
Maciej

Viewing 1 replies (of 1 total)

The topic ‘Vulnerabilities in Permalink Manager Plugin’ is closed to new replies.

1 reply
2 participants
Last reply from: Maciej Bis
Last activity: 3 years, 3 months ago
Status: resolved