huskydog
Forum Replies Created
-
Forum: Plugins
In reply to: [Media Library Assistant] Broken Access Control vulnerability (<= 3.3.0)Well, confusingly, Patchstack are now showing that versions <=3.32 are vulnerable, although that isn’t reflected in the associated CVE.
Forum: Plugins
In reply to: [Media Library Assistant] CVE-2025-11738Thank you for your prompt and helpful response to a security issue. Such a refreshing change from the authors of some other plugins which I won’t mention.
OK, I have waited long enough. I have now removed Gutentor from my sites.
This problem doesn’t seem to have gone away. CVE-2025-58680 seems very similar and states that versions <=3.5.2 are vulnerable. It also appears to have a higher impact than 58783 with a score of 6.5.
- This reply was modified 8 months, 2 weeks ago by huskydog.
OK, so things are now a bit clearer. As I understand it, the presumption is that this is a false positive. I can see that if true this is rather irritating for the developers, but also for users. I get an email from my Solid Security plugin every day now telling me that I have Vulnerable Software installed. I could mute this warning but I’d rather not go around doing this sort of thing if it can be avoided.
The Solid Security warnings seem to come from Patchstack, but presumably they are just getting the information from somewhere else. I can certainly see that without someone revealing the steps to reproduce this or at least how they determined that it was an issue then it could be frustrating to get to a resolution.
The issue you’re experiencing should be resolved in version 3.4.0.
Huh? What? Have you actually read my initial question at all? The Wordfence vulnerability report kindly linked by Pexle Chris clearly states that versions up to and including 3.4.1 are vulnerable whilst the Patchstack entry says versions up to and including 3.4.3 are vulnerable.
I’m already running 3.4.1 and will soon update to 3.4.3 but doing that isn’t going to change what is written in the vulnerability databases. If you think that this XSS issue has been fixed then can you say so as there is no hint of this in the Change Log.
I’m beginning to suspect that the answer to my question about whether the developers are aware of this security problem is “No they’re not!” and that is rather worrying.
Forum: Networking WordPress
In reply to: Server hostname instead of site url in multisiteHello – I am pleased to say that I have solved the problem.
The issue relates to the two lines in wp-config.php which read:
define(‘WP_HOME’,’http://funfoodfreedom.huskydog.org'); define(‘WP_SITEURL’,’http://funfoodfreedom.huskydog.org');When I looked in the database I discovered that ‘home’ and ‘siteurl’ were both set to ‘http:gordon/wordpress:80’. This setting must have been set very early on when I first installed WordPress. It was having no effect during single site as the two lines above were overriding it. The funfoodfreedom address was also the one which showed up in the site configuration page and as I said the site worked fine from this URL for years.
Clearly, when I tried to activate multisite it read the values from the database rather than wp-config.php and set the links incorrectly. I corrected the database entries using the functions.php technique listed in the article below and now things seem to all be working correctly and I have added a new site.
Forum: Networking WordPress
In reply to: Server hostname instead of site url in multisiteHello and thank you both for replying.
JNashHawkins
Yes, my site is the hamster one. I was just trying to express the problem in the abstract so didn’t bother with the real site URL. I have switched it back to single site mode now as I don’t want to leave it in the broken state. I have no idea how secure it is when broken and since you have to disable plugins I don’t have iThemes security active when it is broken and that makes me nervous.autotutorial
Thanks for offering to help but I didn’t quite understand what the linked article was trying to say. Let me try to be a bit clearer about what I have done and what is happening.For several years I have had a fully functional blog at funfoodfreedom.huskydog.org.uk. I now want to create a new blog for a local club. For testing purposes it will be at sarumfinescale.huskydog.org.uk although I may move it to its own domain once it is working. I have created the DNS entry for the second blog.
What I did:
1) I added define(‘WP_ALLOW_MULTISITE’, true); to the end of my wp-config.php file and disabled all of my plugins.
2) As described I then had a networking option under tools so I selected “sub-domains”, gave my network a suitable title and clicked “install”.
3) A page appeared explaining edits I had to make to wp-config.php and .htaccess. I made these and the files now look as below:<?php
//The entry below were created by iThemes Security to disable the file editor
define( ‘DISALLOW_FILE_EDIT’, true );define(‘WP_HOME’,’http://funfoodfreedom.huskydog.org.uk’);
define(‘WP_SITEURL’,’http://funfoodfreedom.huskydog.org.uk’);<** Lots of lines with passwords and suchlike which I haven’t touched **>
define(‘WP_DEBUG’, false);
/*define(‘WP_DEBUG_LOG’, true);*/define(‘MULTISITE’, true);
define(‘SUBDOMAIN_INSTALL’, true);
define(‘DOMAIN_CURRENT_SITE’, ‘funfoodfreedom.huskydog.org.uk’);
define(‘PATH_CURRENT_SITE’, ‘/’);
define(‘SITE_ID_CURRENT_SITE’, 1);
define(‘BLOG_ID_CURRENT_SITE’, 1);/* That’s all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);/** Sets up WordPress vars and included files. */
require_once(ABSPATH . ‘wp-settings.php’);/* Multisite */
define(‘WP_ALLOW_MULTISITE’, true);My .htaccess file looks like this.
php_value upload_max_filesize 32M
php_value post_max_size 128M
php_value memory_limit 256M# BEGIN WordPress
# The directives (lines) betweenBEGIN WordPressandEND WordPressare
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ – [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
</IfModule># END WordPress
So, what happened?
According to the instructions I should now log back in and add my new site via the “My Sites” menu. Unfortunately, I can’t log in or indeed do anything else at all. All I see if the front page of my original blog but without any theme or images. The links are there but don’t work because they point to the wrong place.
So, for example, when my single site is working, the “Log In” link points to:
“http://funfoodfreedom.huskydog.org.uk/wp-login.php?itsec-hb-token=funlogin” but on the new broken site it points to:
“garry/wordpress/wp-login.php” Note: The new links don’t have any “http://” at the start.garry is the hostname of the host for the virtual machine running WordPress. To be clear, I have a server called garry hosting a virtual machine called alex on which is running Apache with my WordPress installation. I host my blog like this to increase security and it has worked fine in single site mode for years. The complete mystery (now I come to think about it) is how exactly the WordPress installation on the virtual machine knows of the hostname ‘garry’ in the first place. So far as I know, the only place in my WordPress configuration where ‘garry’ is mentioned is as the MySQL server.