WordPress.org

Ready to get started?Download WordPress

Forums

PCI compliance - SQL Injection & wp-comments-post.php (6 posts)

  1. gbdg
    Member
    Posted 3 years ago #

    A PCI compliance scan on a client's site reports that wp-comments-post.php is vulnerable to SQL Injection. Is this a known issue, and if so, is there a fix?

  2. esmi
    Forum Moderator
    Posted 3 years ago #

    Please see the Security FAQ for information on reporting possible problems.

  3. gbdg
    Member
    Posted 3 years ago #

    The security FAQ directs me to send an e-mail to security@wordpress.org. However, my experience is that messages to that address are not responded to.

    We are informed that a store we host is now non-compliant for PCI because of a bug detected in the current WP version.

    Wuat is the status of a fix for this please?

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 3 years ago #

    There is no known issue with wp-comments-post, and it is not vulnerable to an SQL injection as far as we are aware.

    If you have found a vulnerability, then you should send email to that address. It will be dealt with promptly. However, that email address goes to a team of people who are knowledgeable in security matters and who can deal with the issue you are reporting promptly. They'll ignore queries, they only deal with actual threats. So unless you know of a valid threat, then you shouldn't email them.

    There cannot be a status for a fix for an issue that we know nothing about. We will need information on exactly what issue you are referring to, specifically, in order to respond properly.

  5. gbdg
    Member
    Posted 3 years ago #

    I posted to this older thread to make two points:

    1 - I never received any response to what I considered a very important message I sent to that address. I e-mailed them because securitymetrics.com refused to declare one of our sites compliant as long as comments were active. Our solution was to turn comments off, and with that done, the site passed compliance. I think that might be important enough to warrant some sort of response - perhaps you or the security team disagree.

    2 - I have a site that currently will not pass PCI complicance because http://www.securitymetrics.com told me tonight that (according to them) a vulnerability has been detected in the current version, and that the site will not be cleared until that vulnerability is resolved. Based on not receiving a reply from the security e-mail, as stated above, I thought I would try again here.

    Can you tell me if there are ANY issue is being worked on that is related to PCI compliance? I need something more concrete to tell my client other than the fact that securitymetrics.com claims that WP is not PCI compliant, thus making their site non-compliant.

    I appreciate your feedback.

  6. Ryan Boren
    WordPress Dev
    Posted 3 years ago #

    There are no known PCI compliance issues. Every single one sent our way is either reporting ancient vulnerabilities that don't apply to the version of WP being evaluated or is not a valid issue.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.