Plugin Support
Cyn
(@cyn92)
Hello @jrrsdu, I’ll share this with our team to investigate.
I’m also getting a vulnerability issue from WordPress for your plug-in. Please advise on a solution.
Just to add more context to this thread:
This vulnerability was flagged by Patchstack ~7 days ago, and is now also being flagged by Wordfence for the same plugin version and issue.
Could the team confirm:
– whether this is acknowledged
– if a fix is in progress
– or if this is considered a false positive
Given that multiple scanners are now flagging this, some clarification would be appreciated.
Hi @dropshot thanks for getting in touch, we are in active communication with WordFence (have had no communication from the Patchstack team). We have a fix in progress and should have the warning removed as soon as we receive confirmation from the WordFence team, but that depends on their response time.
We actively work on all security notices we receive and are committed to keeping the plugin updated and secure. Please update to new versions as soon as you see them available
Plugin Support
Cyn
(@cyn92)
Hello @jrrsdu, @dropshot, and @singed68 – we have good news. We were able to push out the fixes for vulnerabilities flagged by Patchstack and Wordfence. Please update to the latest version when you see it is available.
We’re also working on one additional fix that will be included in an upcoming release. Thanks for your patience while we worked through these.
Thread Starter
jrrsdu
(@jrrsdu)
Hi @cyn92, I have updated the plugin to 1.6.11.0 but I’m still being told that there’s a vulnerability in the plugin, now patchstack just tells me it’s in version 1.6.11.0 and below.
Is it a false positive now or is the plugin still vulnerable?
Plugin Support
Cyn
(@cyn92)
Hello @jrrsdu, the fix is included in version 1.6.11.0, so you’re running the patched version. What you’re seeing is likely a delay; security databases need to verify fixes before updating their records, and that process can take a bit longer than the release itself. We’ve submitted the patch details and are waiting on confirmation.
Once the verification completes, the warning should clear. We’ll update this thread when that happens. Thanks for following up.
Sorry, but your updated version is still showing up on the vulnerability scan in WP: Version 1.6.11.0
Hi @singed68 we’ve released several of the security fixes, so the code itself is in v1.6.11.0 but the “vulnerability scan” notice won’t go away until the security companies officially review and approve our fix. We unfortunately don’t have any control over how quickly they respond to us.
Hopefully they will be marking the issues resolved within the next few days and you’ll see the notice disappear. If there are any additional security adjustments, we’ll do a follow-up release soon.
Thanks for your patience, and please let us know when you see the vulnerability notice go away on your side!
Nathan
as we’ve been making these fixes we have also proactively looking for more ways we can improve security throughout the plugin. There are additional improvements in v1.6.11.2 which we just released. I’d recommend updating to that version when you get a chance
Thanks,
Nathan
