WordPress.org

Ready to get started?Download WordPress

Forums

Events Easy Calendar
[closed] Should not be used (10 posts)

1 star
  1. Rogue Coder
    Member
    Posted 11 months ago #

    This plugin contains multiple really critical vulnerabilities. I’ve made 3 attempt on getting in touch with the developer, but the first message was plain and simple deleted. The second attempt has not yet received a reply, and the third attempt was just sent.

    This plugin should not be used on any public servers until these vulnerabilities has been patched

  2. esmi
    Forum Moderator
    Posted 11 months ago #

    Try waiting a little longer than 12 hours for the plugin's developer to get back to you.

  3. Rogue Coder
    Member
    Posted 11 months ago #

    Well yes obviously I'm not expecting a response withing 12 hours.. I've already sent a new message to the developers (through the support section with "This topic is not a support question" checked) before sending this, that I'm giving them 9 days to respond.. Until next Monday.

    All I said in this review was that I have contacted the developers to be able to get a valid address to send the report to, and that people should wait to use this in a public environment until a fix has been released because of the vulnerabilities.

    This is my way to try to help users of the WordPress platform to stay as secure as possible, by every single day investigate newly uploaded/updated plugins, and sending reports to the developers. Sadly, many developers completely ignores this and leaves their users vulnerable.

  4. esmi
    Forum Moderator
    Posted 11 months ago #

    obviously I'm not expecting a response withing 12 hours

    Then why post this review when you only posted in the plugin's support forum a little over 12 hours ago? The plugin's developer hasn't had a chance to get back to you yet., Please remember that not everyone is in the same timezone as you and that this is the vacation period in many countries.

    This is not the first such review you've posted and, in the last one, the plugin developer did get back to you shortly afterwards. You just aren't leaving them enough time to respond before posting highly damning reviews.

  5. Rogue Coder
    Member
    Posted 11 months ago #

    Now that's a weird policy.. A person finds a critical vulnerability in a plugin, and he's not allowed to warn people to wait to use it until it has been patched? Where's the logic in that?

    I thought that WordPress want their users to be safe, but how can they be if ethical security researchers like myself is not allowed to inform about this to other users without disclosing the PoC's and types of vulnerabilities. More people read the reviews than the Support section when downloading a plugin, because they want to see what people are saying about the plugin and how happy they are about it.

    If/When the plugin gets fixed the review will of course be updated accordingly.

    I mean, it would have been a whole different story if I had published the report to Bugtraq or Full Disclosure by now. That could become truly devastating. But since I work by ethical rules this won't happen. The developers are _always_ given a proper deadline to reply and fix the issues before the report goes public.

  6. esmi
    Forum Moderator
    Posted 11 months ago #

    Now that's a weird policy

    It's not a policy. It's plain common sense! You need to allow the plugin developer time respond if you have raised an issue.

  7. Rogue Coder
    Member
    Posted 11 months ago #

    So common sense is to report to the developer only, and let users possible be exploited by black hats while waiting for the fix? Sorry, but this doesn't seem like common sense to me.

    In this review I did nothing but issue a warning to users to wait for the fix before using this in a public environment..

    I don't understand what you're really arguing about when it comes to the time I've given the developers. They've been given 9 days to reply and from the day the report is sent they're given 14 days to fix it.. So I do believe that a total of 23 days is more then enough. Or?

    I'm not wasting my time in this pointless discussion anymore, consider this my last message.

  8. esmi
    Forum Moderator
    Posted 11 months ago #

    So common sense is to report to the developer only

    Initially, yes. and then try waiting more than 12 hours to give them time to reply. This ensures that that:

    a) you are not actually increasing the profile of a potential security issues.
    b) the issue can be confirmed (yes - it is possible to make a mistake)
    c) the developer has the chance to fix the issue and release an update.

    You've also been informed of this in http://wordpress.org/support/topic/multiple-critical-vulnerabilities and asked to send details to plugins [ at ] wordpress.org if the plugin developer does not respond within a reasonable* time period.

    [* where "reasonable" would be defined as waiting for a full day or two.]

  9. I'm not wasting my time in this pointless discussion anymore, consider this my last message.

    That's your call, but do you think you can apply that logic to your other vulnerability postings?

    See this reply I just left.

    They've been given 9 days to reply and from the day the report is sent they're given 14 days to fix it.. So I do believe that a total of 23 days is more then enough. Or?

    This is not a race: ask yourself "what are you trying to accomplish?"

    If you're trying to get a tangible problem fixed then just releasing the vulnerability details is not the way to go.

    Reporting security vulnerabilities is serious business and always has be performed responsibly and ethically.

    I'm glad you've not just rang the bell and posted the vulnerability but leaving reviews like this is not productive at all and does not accomplish anything.

    If you are not a reply from the plugin author then please do the right thing and send the details to plugins [ at ] wordpress.org.

    In addition to be able to pull the plugin from the repository (if necessary) that group can also attempt to contact the plugin author. Depending on what you've found they can make a decision about what to do next.

  10. I'm closing this.

    You already posted about this

    Stop making multiple posts. You're making more work for people who DO NOT have control over that plugin. Please stop. It's annoying and means we have to spend more time moderating and less time helping people.

    http://wordpress.org/support/topic/multiple-critical-vulnerabilities?replies=3

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.