Rogue Coder
Forum Replies Created
-
Forum: Plugins
In reply to: [Events Easy Calendar] Multiple critical vulnerabilitiesI’ve tried it and got an instant response that it’s not valid. I’m going offline today and will be offline for until next Monday. If no reply has been made I will contact the one you provided. Thanks for this reply
Forum: Reviews
In reply to: [Events Easy Calendar] Should not be usedSo common sense is to report to the developer only, and let users possible be exploited by black hats while waiting for the fix? Sorry, but this doesn’t seem like common sense to me.
In this review I did nothing but issue a warning to users to wait for the fix before using this in a public environment..
I don’t understand what you’re really arguing about when it comes to the time I’ve given the developers. They’ve been given 9 days to reply and from the day the report is sent they’re given 14 days to fix it.. So I do believe that a total of 23 days is more then enough. Or?
I’m not wasting my time in this pointless discussion anymore, consider this my last message.
Forum: Reviews
In reply to: [Events Easy Calendar] Should not be usedNow that’s a weird policy.. A person finds a critical vulnerability in a plugin, and he’s not allowed to warn people to wait to use it until it has been patched? Where’s the logic in that?
I thought that WordPress want their users to be safe, but how can they be if ethical security researchers like myself is not allowed to inform about this to other users without disclosing the PoC’s and types of vulnerabilities. More people read the reviews than the Support section when downloading a plugin, because they want to see what people are saying about the plugin and how happy they are about it.
If/When the plugin gets fixed the review will of course be updated accordingly.
I mean, it would have been a whole different story if I had published the report to Bugtraq or Full Disclosure by now. That could become truly devastating. But since I work by ethical rules this won’t happen. The developers are _always_ given a proper deadline to reply and fix the issues before the report goes public.
Forum: Reviews
In reply to: [Events Easy Calendar] Should not be usedWell yes obviously I’m not expecting a response withing 12 hours.. I’ve already sent a new message to the developers (through the support section with “This topic is not a support question” checked) before sending this, that I’m giving them 9 days to respond.. Until next Monday.
All I said in this review was that I have contacted the developers to be able to get a valid address to send the report to, and that people should wait to use this in a public environment until a fix has been released because of the vulnerabilities.
This is my way to try to help users of the WordPress platform to stay as secure as possible, by every single day investigate newly uploaded/updated plugins, and sending reports to the developers. Sadly, many developers completely ignores this and leaves their users vulnerable.
Forum: Plugins
In reply to: [HMS Testimonials] Multiple critical vulnerabilities foundI just wanted to stop by and say that I’ve tested 2.0.11 and the vulnerabilities are indeed secured 🙂
Forum: Plugins
In reply to: [HMS Testimonials] Multiple critical vulnerabilities foundYou’re welcome. I will upgrade my version and test it as well.
Forum: Plugins
In reply to: [Hack me if you can] Short tags?Sounds good.. I’ll check it later tonight
Forum: Plugins
In reply to: [Hack me if you can] Short tags?Then I suggest you explain why this appears when I try to save
http://wordpress/wp-admin/<?echo $_SERVER[‘REQUEST_URI’];?>
Forum: Plugins
In reply to: [HMS Testimonials] Multiple critical vulnerabilities foundYeah might be.. That’s good
Forum: Plugins
In reply to: [HMS Testimonials] Multiple critical vulnerabilities foundRoger.. I’ll send it there
Forum: Plugins
In reply to: [HMS Testimonials] Multiple critical vulnerabilities foundRefreshed the page and still the same error
Forum: Plugins
In reply to: [HMS Testimonials] Multiple critical vulnerabilities foundYour contact form is flawed… I get this when trying to send.
——
ForbiddenYou don’t have permission to access /contact/ on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
——-You want me to disclose it here? If not give me somewhere else to send it. I don’t think you would like this to be public before it’s patched to be honest
Forum: Plugins
In reply to: [HMS Testimonials] Multiple critical vulnerabilities foundI will send another message through the contact-us form with all the content
Forum: Plugins
In reply to: [Usernoise modal feedback / contact form] Vulnerability affecting adminsIndeed it is yes, but I really do not understand why you allow tags in the summary at all.