Manja Neumann
Forum Replies Created
-
We cannot update WooCommerce because of theme issues with WP 6.9
Forum: Plugins
In reply to: [Download Manager] Vulnerabilities in Plugin?Thank you for confirming that Vue.js will be updated and Bootstrap will be removed.
However, I need to ask very clearly:What is the exact timeline for these updates?
- Vue.js (currently v2.6.12) must be updated to the latest secure version.
- Bootstrap (currently included as v3.3.4 and v5.3.0-alpha1) must be removed or replaced with a stable, supported version.
This is not only a feature request – we are running a penetration test, and the reported security issue must be resolved to continue using the plugin.
Without a clear timeframe, we have to consider replacing this plugin.For reference, Patchstack has already published a vulnerability:
https://patchstack.com/database/wordpress/plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-24-sensitive-data-exposure-vulnerability?_s_id=cveForum: Plugins
In reply to: [Download Manager] Vulnerabilities in Plugin?I have already provided the evidence directly from the plugin package (Vue.js v2.6.12 and Bootstrap are both included).
In fact, the plugin ships with two different versions of Bootstrap: v3.3.4 and v5.3.0-alpha1.If there is no transparent confirmation or plan from the developer regarding outdated and inconsistent dependencies, I cannot rely on this plugin any longer and will look for alternatives.
Transparency about bundled libraries is essential for security.
Forum: Plugins
In reply to: [Download Manager] Vulnerabilities in Plugin?I have checked the plugin files directly (version 3.3.24).
- The plugin includes Vue.js v2.6.12 (
/assets/js/vue.min.js). - It also bundles Bootstrap (
/assets/adminui/js/bootstrap.min.jsandbootstrap.bundle.min.js).
So, even though you mentioned that Bootstrap is not included, it is actually shipped inside the plugin package. Vue is also included, and the version is not the latest (Vue 2.7 is the most recent release in the 2.x branch).
It would be very helpful to know if there are plans to update these dependencies to more recent versions as we have to pass the OWASP PEN Test. Otherwise we have to replace your plugin to a more secure plugin.
Thanks
ManjaForum: Plugins
In reply to: [Download Manager] Vulnerabilities in Plugin?I don’t know how to check which Vue version your plugin uses. I was hoping you would know? I would like to start the retest only once the issue has been fixed.
Forum: Plugins
In reply to: [Download Manager] Vulnerabilities in Plugin?Sorry I don’t understand your answer. I want to know in which update will you replace the old vue version? Can you give me an estimation?
Forum: Plugins
In reply to: [Quiz Maker by AYS] Vulnerabilities in Plugin?Thanks a lot! I will get in touch with the dev team.
Forum: Plugins
In reply to: [Quiz Maker by AYS] Vulnerabilities in Plugin?As this is a public department website, it has been tested for security by the IT service department and may only be published once the issues have been resolved. We failed the test due to these software components.
jQuery.datatables 1.10.23: https://nvd.nist.gov/vuln/detail/CVE-2021-23445
“This constitutes a violation of the administrative regulation, as security patches (including those for
third-party products) must be installed immediately.”bootstrap.js 4.5.3: https://endoflife.date/bootstrap
“According to the information gathered using the means at our disposal, the above-mentioned
software is no longer maintained by the manufacturer in the version branch used and, as a result, is no longer provided with security patches. The operation of the web application with the version currently used in the web application is not permitted.”https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
https://cwe.mitre.org/data/definitions/1104.htmlThanks
ManjaForum: Plugins
In reply to: [Download Manager] Vulnerabilities in Plugin?Thanks for the clarification. Which fix will upgrade Vue to the latest version?
Forum: Plugins
In reply to: [Download Manager] Vulnerabilities in Plugin?It’s not just a warning. We failed the test because of these two outdated libraries in your plugin.
There is a security patch for it, right?Forum: Plugins
In reply to: [Decimal Product Quantity for WooCommerce] Checkout brokenWe had to uninstall it because many customers were unable to make purchases and were confused by the recovery message. I hadn’t come across this on the test server, and it wasn’t mentioned in your documentation either. We weren’t expecting it, because this is a plugin for decimal quantities.
Forum: Plugins
In reply to: [Decimal Product Quantity for WooCommerce] Checkout brokenYeah no! The customers complain and cannot go further. How can I disable that?
This is a plugin for decimal quantities, not for recovering carts right?Forum: Plugins
In reply to: [Germanized for WooCommerce] Decimal quantity in invoicesAs I mentioned above we use a plugin for calculating the price for decimal amounts.
I wonder why it is such a problem to represent a quantity with decimals if it is not a problem with the price, for example. Nobody would simply cut the cents off the price.
As soon as we connect the audiance in the Mailchimp for WooCommerce plugin, the data is no longer counted in the WooCommerce statistics. If we disconnect the connection, everything is visible again correctly. Your colleague had fixed this, but from then on the connection was regularly reset. Now the connection is stable again and the statistics are broken again. But it’s all here in the thread.
And now we are back to the original issue. With starting the Mailchimp sync we lost the WooCommerce statistics again.