pineapplepalm
Forum Replies Created
-
Forum: Plugins
In reply to: [WP Job Manager] Broken Access Control vulnerability@donncha I could probably test a completed plugin zip with a staged site to see how it behaves, plus a vulnerability code pass, another PCP, and conflict testing with some standard plugins. I won’t be able to test via a fork/PR in GitHub right now due to time constraints.
Working on a platform build atm. Do you feel the current state is stable enough for staging-level testing, or would you prefer to push a bit further before that?
Thanks for re-prioritizing this, it doesn’t go unnoticed.
Forum: Plugins
In reply to: [WP Job Manager] Broken Access Control vulnerabilityHi @donncha any update to my above last response.
Forum: Plugins
In reply to: [WP Job Manager] Any intent on a sucurity update?Hi @donncha Wordfence still shows it as problematic as a critical issue
Forum: Plugins
In reply to: [WP Job Manager] Broken Access Control vulnerability@donncha Ahh I see. That PR is a pickle. It might be that other contributors are slow-rolling their fixes (understandably… other projects and all). But, ultimately it might be a case of 2-3 others who are fixing things vs 80k active site admins plus the many hundreds of thousands of end users who are kinda vulnerable atm.
If they don’t have a fairly imminent window to push theirs, so you can get started with fixing your collossal load of issues you may have to bite the bullet and follow through. It’s been a couple of months since the PR but these issues preceded that.
I feel your pain on this – really hoping it can be addressed. I know it’s by no means a flicked switch fix, but maybe some cajoling at this point so their contributions aren’t wasted makes sense?
Standing by hoping for a resolution soon on it. Appreciate your support and openess to share the issues impacting it.
Another sidebar FYI, in the Alerts plugin, you can’t remove the RSS (there doesn’t seem to be a setting for that). Useful since we’re trying to keep our install free of RSS and scraping through as many vectors as possible
Forum: Plugins
In reply to: [Maintenance] custom slugs Buddypress endpointsHopefully you are the only one to click this, as I don’t want to link this to our site:
Here are the links to our site. Please let me know if you were able to see this. Please dont add our url here though
https://1ty.me/QbvJuzuPForum: Plugins
In reply to: [WP Job Manager] Broken Access Control vulnerabilityIf possible can you assist to allow me to edit one of my comments which has our URL in it. For security reasons, I dont want that exposed on WP.org
Forum: Plugins
In reply to: [WP Job Manager] Broken Access Control vulnerability@donncha thanks! We appreciate your team’s efforts.
May I also take this time to tell you there are many other issues (which can lead to vulnerabilities) which are shown in the Plugin Checker when run on this plugin. I have the upgraded Jobs Manager suite too, and in each of those plugins there are also many errors and warning which we’re concerned can lead to various exploits. WP Jobs Manager represents one of the most important features of our site, and I’m sure many other users.
All that said, I wondered, if your team would be willing to look into that too? There’s a lot of these, but here’s a few I see from the assessment:
WARNINGPluginCheck.Security.DirectDB.UnescapedDBParameterUnescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely
ERROR missing_direct_file_access_protectionPHP file should prevent direct access. Add a check like: if ( ! defined( ‘ABSPATH’ ) ) exit;
WARNING WordPress.Security.NonceVerification.MissingProcessing form data without nonce verification.
ERROR missing_direct_file_access_protectionPHP file should prevent direct access. Add a check like: if ( ! defined( ‘ABSPATH’ ) ) exit;
ERROR outdated_tested_upto_headerTested up to: 6.6 < 6.9.
The “Tested up to” value in your plugin is not set to the current version of WordPress.WARNING WordPress.Security.NonceVerification.MissingProcessing form data without nonce verification.
ERROR PluginCheck.CodeAnalysis.Heredoc.NotAllowedUse of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
ERROR plugin_updater_detectedPlugin Updater detected.
These are not permitted in ww.wp.xz.cn hosted plugins. Detected: site_transient_update_pluginsERROR WordPress.Security.EscapeOutput.UnsafePrintingFunctionAll output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found ‘_e’.
ERROR WordPress.Security.EscapeOutput.OutputNotEscapedAll output should be run through an escaping function
WARNING missing_composer_json_fileThe “/vendor” directory using composer exists, but “composer.json” file is missing.
ERROR badly_named_filesFile and folder names must not contain spaces or special characters.
Thanks for your attention to this. We appreciate your team.
Forum: Plugins
In reply to: [WP Job Manager] Broken Access Control vulnerability@donncha Wordfence and Solid Security still cite it as a current issue:
- The Plugin “WP Job Manager” has a security vulnerability.Type: Plugin Vulnerable
- Issue Found April 18, 2026 6:07 amCritical
- IgnoreDetails
- Plugin Name: WP Job Manager
- Current Plugin Version: 2.4.1
- Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “WP Job Manager” until a patched version is available. Get more information.(opens in new tab)
- Repository URL: https://ww.wp.xz.cn/plugins/wp-job-manager(opens in new tab)
- Vulnerability Information: https://www.wordfence.com/threat-intel/vulnerabilities/id/3099875e-ed6e-4d59-9da2-48fb389112ef?source=plugin(opens in new tab)
- Vulnerability Severity: 5.3/10.0
Forum: Plugins
In reply to: [WP Job Manager] Wordfence warning: Broken access controlI’m also getting the same. Wordfence has this as an active unpatched issue. Please update 2.4.1 so that the same isn’t present, or if it was indeed fixed in 2.4.1 as your other thread suggests, reach Wordfence and the others which cite this as critical vulnerability.
Tim, tbh I can’t sus the reason for the tone? “take a look at it yourself” isn’t a helpful response, respectfully.
I’m simply asking for assistance to address/resolve an issue. LSWS is not an edge case server setup. Editing your plugin files to avoid triggering this rule isn’t something that makes sense. Hence reaching you the dev for support on it.
I appreciate your thought that perhaps the code is triggering Amitcorp rules, however. The only solution is blanket whitelisting the whole of LT for the rule, we can’t seem to scope a rule for *just* the LifterLMS saving. Our host has mentioned that this would be the only approach they can offer. If however you can suggest another way to approach it, that would be appreciated.
I can generate the language just fine, I just cannot save without triggering the error codes.
You’re far closer to being able to suggest a possible solution than I would. Okay, let’s say this is a false positive trip. But if you can advise how to either scope a lsws rule, or otherwise identify why Lifter (specifically and solely) is being generated/handled/saved (whatever), differently which doesn’t happen with any other plugins that I translate.
Standing by for support, and again appreciate feedback.
Hi Tim @timwhitlock,
Thanks for checking into that. Is this handled differently vs other plugin translations? If so, my suggestion would be to normalize this one so that it doesn’t ping modsec and can work as translations on usually do – since this is the only plugin I’ve experienced pings LSWS’s amiticorp rules.
We have about 300-500 translations strings to change, but can’t ~ The only way we can do the translations is blanket turning off the rule – which is foolhardy.
Thanks in adv.
Hi @brianhogg thanks for pointing that out. Do you think you can check the issue also – since it literally only happens to the LifterLMS plugin with Loco Translate. We’ve had to disable the modsec rule in the past to be able to save lifter translations. Can you identify if there’s a reason for it that might be lifter related?
Appreciate the feedback from both of you.
Hi Tim,
Thanks will separate in future.
- Thanks about the lookup. I think it’s actually bbpress related (we do have bbpress installed)
- Thanks for the feedback. It’s not that I’m trying to save such a large po, it’s that even if there is only 1 translation made, even a period. It triggers modsec. This is the case in the free lifterlms from the repo, not the premium addons. I have tested this on tastewp temp wp site, it’s not a problem on NGINX but on LSWS and only for Lifter, the Loco Translate pings an issue.
below i’m leaving the actual error in full (domain, IP, and username redacted) . Hoping you can make a little more sense of it in this context? - Would be open to anything you might discover on it. As I haven’t located anything that would make this make sense.
- Would you be open to checking any direct db calls/unescaped errors in the short term? I’m reg’d to report to Wordfence, but I’m cramming before the holidays, and don’t have the bandwidth atm to do all the work for a report atm.
Thanks for the speedy contact, and will await the feedback.
2025-12-15 12:46:03.136905 [NOTICE] [3184029] [T8] [162.158.62.50:22743:HTTP2-1>111.111.111.111#APVH_OURDOMAINREDACTED:443] [MODSEC] mod_security rule [id "383023"] at [/etc/httpd/modsecurity.d/modsec/11_asl_adv_rules.conf:45] triggered!
[Mon Dec 15 12:46:03.112908 2025] [error] [client 111.111.111.111] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_BODY|REQUEST_URI|XML:/*' '(?:define|fgets|strrev|move_uploaded_file|readfile|ftp_put|ftp_fget|gzencode|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|create_function|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|require|require_once|parse_ini_file|set|shell_exec|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|serialize|include|php_uname|preg_\w+|execute|gz(?:inflate|decode|uncompress)|zlib_\w+) ?[\"\(@]'] [id "383023"] [rev "6"] [msg "Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt - base64 encoded"] [logdata ""] [severity "CRITICAL"] [hostname "OURDOMAINREDACTED"] [uri "/wp-admin/admin-ajax.php"] [unique_id "5BDYoLjucFCWYVA7w0Df787F"], referer: https://OURDOMAINREDACTED/wp-admin/admin.php?path=languages%2Floco%2Fplugins%2Flifterlms-en_US.po&bundle=lifterlms%2Flifterlms.php&domain=lifterlms&page=loco-plugin&action=file-edit
2025-12-15 12:46:03.137179 [NOTICE] [3184029] [T8] [162.158.62.50:22743:HTTP2-1>111.111.111.111#APVH_OURDOMAINREDACTED:443] Content len: 701801, Request line: 'POST /wp-admin/admin-ajax.php HTTP/1.1'
2025-12-15 12:46:03.137186 [INFO] [3184029] [T8] [162.158.62.50:22743:HTTP2-1>111.111.111.111#APVH_OURDOMAINREDACTED.app:443] Cookie len: 1973, litespeed_tab=cf; wordpress_sec_ff36d3dd09e15c64fca824ea2e295d58=USERNAMEREDACTED%7C1767029906%7Cho9VPSwAsol6FwCnijoldvigwo2lieIGu8zNc5lYO32%7C726a2cf70ee3ea20bdea9e8d066279ac4b5e63aada07c7993e1f772e09a175ce; _clck=1829h24%5E2%5Eg11%5E0%5E2145; ph_phc_skLKG42TrWyauRUy8ZEhzap7bNvdwt1AOwVO6sW3dPR_posthog=%7B%22distinct_id%22%3A%22019a879e-021e-7ec1-80f0-9f38a72cb4e2%22%2C%22%24sesid%22%3A%5B1763215925117%2C%22019a87ca-4bf0-733c-81b6-b7e74cc6bd1e%22%2C1763214773196%5D%2C%22%24initial_person_info%22%3A%7B%22r%22%3A%22https%3A%2F%2Fwww.google.com%2F%22%2C%22u%22%3A%22https%3A%2F%2Froadmap.OURDOMAINREDACTED%2Fapp%2Fintegrations%22%7D%7D; zps-tgr-dts=sc%3D38-expAppOnNewSession%3D%5B%5D-pc%3D1-sesst%3D1763409116765; wordpress_test_cookie=WP%20Cookie%20check; wordpress_apbct_antibot=efd43d78a655f18f5fcf07e21075243a3676f47768cd061c589d0b706adc9844; wp-settings-time-1=1765101712; wp-settings-1=libraryContent%3Dbrowse; wp_lang=en_US; reign_dark_mode=dark; wp-job-manager-submitting-job-id=1533; wp-job-manager-submitting-job-key=693ee158dd293; reignpanel=closed; cf_clearance=UQ96GJw4WTy19R0yU8Bex3lLfypn_E83vOznfxuB1Jg-1765820190-1.2.1.1-I.bCL9dEyVMq3UP4xPsJR05HqBNDh.64Dtk.qortnQ_VDUkXqedYf70t0223NPXZ.WNIaPPGlws54ZYg2kJ6GiRWCah6U9O5w44Gnlh5JQkX9v1jAejRQDMuPEaYvYfweMWcn9tl1fCL.v7XE6gHfTM_sU2uLYsVawLxV_eJGk0TZY0X0n7sksKB9x8nyWz4RO8QNtCY2YF7fxHcMf1UMP45mcd0mFGwc1lZ8paH9oA; _lscache_vary=7fc6ea49a1039c138b9d2ee13dac8e0f; wordpress_logged_in_ff36d3dd09e15c64fca824ea2e295d58=USERNAMEREDACTED%7C1767029906%7Cho9VPSwAsol6FwCnijoldvigwo2lieIGu8zNc5lYO32%7C257571209b12cf4ff30dad3ec6b01ec0bd2903260c7cf62e028ab4858214ed00; wp_llms_session_ff36d3dd09e15c64fca824ea2e295d58=1%7C%7C1765826254%7C%7C1765822654%7C%7C53af3e36051727cd7e1e2a0b1acd9e5b; wfwaf-authcookie-d370e8ac12bbc1a713436f5812f9b147=1%7Cadministrator%7Cmanage_options%2Cunfiltered_html%2Cedit_others_posts%2Cupload_files%2Cpublish_posts%2Cedit_posts%2Cread%7C7e6cbf6bf919e2c60288825c2b16bdd4a7158b58b8f5ae140d185deb88a5aeb2
2025-12-15 12:46:30.922065 [NOTICE] [3184029] [T2] [172.71.81.95:15005:HTTP2-1>111.111.111.111#APVH_OURDOMAINREDACTED.app:443] [MODSEC] mod_security rule [id "383023"] at [/etc/httpd/modsecurity.d/modsec/11_asl_adv_rules.conf:45] triggered!
[Mon Dec 15 12:46:30.915505 2025] [error] [client 111.111.111.111] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_BODY|REQUEST_URI|XML:/*' '(?:define|fgets|strrev|move_uploaded_file|readfile|ftp_put|ftp_fget|gzencode|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|create_function|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|require|require_once|parse_ini_file|set|shell_exec|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|serialize|include|php_uname|preg_\w+|execute|gz(?:inflate|decode|uncompress)|zlib_\w+) ?[\"\(@]'] [id "383023"] [rev "6"] [msg "Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt - base64 encoded"] [logdata ""] [severity "CRITICAL"] [hostname "OURDOMAINREDACTED.app"] [uri "/wp-admin/admin-ajax.php"] [unique_id "wD@m9Qi6ryEzfChjBqHe9HdD"], referer: https://OURDOMAINREDACTED.app/wp-admin/admin.php?path=languages%2Floco%2Fplugins%2Flifterlms-en_US.po&bundle=lifterlms%2Flifterlms.php&domain=lifterlms&page=loco-plugin&action=file-edit
2025-12-15 12:46:30.922187 [NOTICE] [3184029] [T2] [172.71.81.95:15005:HTTP2-1>111.111.111.111#APVH_OURDOMAINREDACTED:443] Content len: 701844, Request line: 'POST /wp-admin/admin-ajax.php HTTP/1.1'
2025-12-15 12:46:30.922195 [INFO] [3184029] [T2] [172.71.81.95:15005:HTTP2-1>111.111.111.111#APVH_OURDOMAINREDACTED:443] Cookie len: 1973, litespeed_tab=cf; wordpress_sec_ff36d3dd09e15c64fca824ea2e295d58=USERNAMEREDACTED%7C1767029906%7Cho9VPSwAsol6FwCnijoldvigwo2lieIGu8zNc5lYO32%7C726a2cf70ee3ea20bdea9e8d066279ac4b5e63aada07c7993e1f772e09a175ce; _clck=1829h24%5E2%5Eg11%5E0%5E2145; ph_phc_skLKG42TrWyauRUy8ZEhzap7bNvdwt1AOwVO6sW3dPR_posthog=%7B%22distinct_id%22%3A%22019a879e-021e-7ec1-80f0-9f38a72cb4e2%22%2C%22%24sesid%22%3A%5B1763215925117%2C%22019a87ca-4bf0-733c-81b6-b7e74cc6bd1e%22%2C1763214773196%5D%2C%22%24initial_person_info%22%3A%7B%22r%22%3A%22https%3A%2F%2Fwww.google.com%2F%22%2C%22u%22%3A%22https%3A%2F%2Froadmap.OURDOMAINREDACTED%2Fapp%2Fintegrations%22%7D%7D; zps-tgr-dts=sc%3D38-expAppOnNewSession%3D%5B%5D-pc%3D1-sesst%3D1763409116765; wordpress_test_cookie=WP%20Cookie%20check; wordpress_apbct_antibot=efd43d78a655f18f5fcf07e21075243a3676f47768cd061c589d0b706adc9844; wp-settings-time-1=1765101712; wp-settings-1=libraryContent%3Dbrowse; wp_lang=en_US; reign_dark_mode=dark; wp-job-manager-submitting-job-id=1533; wp-job-manager-submitting-job-key=693ee158dd293; reignpanel=closed; cf_clearance=UQ96GJw4WTy19R0yU8Bex3lLfypn_E83vOznfxuB1Jg-1765820190-1.2.1.1-I.bCL9dEyVMq3UP4xPsJR05HqBNDh.64Dtk.qortnQ_VDUkXqedYf70t0223NPXZ.WNIaPPGlws54ZYg2kJ6GiRWCah6U9O5w44Gnlh5JQkX9v1jAejRQDMuPEaYvYfweMWcn9tl1fCL.v7XE6gHfTM_sU2uLYsVawLxV_eJGk0TZY0X0n7sksKB9x8nyWz4RO8QNtCY2YF7fxHcMf1UMP45mcd0mFGwc1lZ8paH9oA; _lscache_vary=7fc6ea49a1039c138b9d2ee13dac8e0f; wordpress_logged_in_ff36d3dd09e15c64fca824ea2e295d58=USERNAMEREDACTED%7C1767029906%7Cho9VPSwAsol6FwCnijoldvigwo2lieIGu8zNc5lYO32%7C257571209b12cf4ff30dad3ec6b01ec0bd2903260c7cf62e028ab4858214ed00; wp_llms_session_ff36d3dd09e15c64fca824ea2e295d58=1%7C%7C1765826254%7C%7C1765822654%7C%7C53af3e36051727cd7e1e2a0b1acd9e5b; wfwaf-authcookie-d370e8ac12bbc1a713436f5812f9b147=1%7Cadministrator%7Cmanage_options%2Cunfiltered_html%2Cedit_others_posts%2Cupload_files%2Cpublish_posts%2Cedit_posts%2Cread%7C7e6cbf6bf919e2c60288825c2b16bdd4a7158b58b8f5ae140d185deb88a5aeb2- This reply was modified 5 months, 1 week ago by pineapplepalm.
- This reply was modified 5 months, 1 week ago by pineapplepalm.
Forum: Plugins
In reply to: [Loco Translate] Where is the “save” button?@jarxabi its right at the top (green) LEFT under the language you are translating. It’s grey by default and green when ready to be clicked after you’ve added things to edit.
It is not at the bottom or out there on the right hand side. like many other plugins or applications
thank you. is it possible to also block readability in rankmath for .htaccess also, since even with disable, it is still visible.
many thanks