WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Related Posts
[resolved] Vaultpress says this plugin has a vulnerability (7 posts)

  1. jmckiernan86
    Member
    Posted 1 year ago #

    The exact message is:

    "The plugin WordPress Related Posts (version 2.7.1) has a publicly known vulnerability. It is recommended to deactivate and remove this plugin"

    will this be addressed soon? because I like the plugin and i'd like to reactivate it ASAP

    Thanks

    http://wordpress.org/extend/plugins/wordpress-23-related-posts-plugin/

  2. silvoslaf
    Member
    Plugin Author

    Posted 1 year ago #

    Hm, well, this is definitely not right. We are contacting them for more details ASAP!

    Thanks for bringing this up to us!

    Best,
    Silvo

  3. silvoslaf
    Member
    Plugin Author

    Posted 1 year ago #

    Hey!

    Here's the official response from Vaultpress we received a couple of days ago:

    I searched for the the quote that appears on that forum thread on our website (vaultpress.com), and we did not publish that text. I also did not find that text in any of our support emails.

    If you have issues with that forum thread, I think it's best to speak with someone from WordPress.org.

    Where did you spot that message? Let me know, so we can act accordingly in order to avoid any future misconceptions.

    Thanks again & I'm looking forward to your reply!

    Best,
    Silvo

  4. Chris Rudzki
    Happiness Engineer at Automattic
    Posted 1 year ago #

    Hey,

    Just to clarify - we always recommend that users run the latest versions of their plugins and themes, and naturally, WordPress itself.

    In this case, it appears that our security scanner identified an older version of WordPress Related Posts running on a VaultPress user's site. According to the following advisory, the older version has a security vulnerability:

    http://secunia.com/advisories/53279/

    The security notification identified 2.7.1 as the vulnerable version, but this was a typo. The vulnerable version is 2.6.1, and we've since updated our messaging to reflect this.

    I hope this helps - thanks for bringing this to our attention!

    -Chris from VaultPress

  5. silvoslaf
    Member
    Plugin Author

    Posted 1 year ago #

    Hey Chris, big thanks for your update on this!

    Yeah, we had some issues with the older version of our plugin, but we resolved it almost immediately together with the WordPress's team, so that it doesn't violate any TOS on their (or our) side.

    Rest assured that all versions of our plugin are now completely safe to use.

    Feel free to contact me at anytime if something is not absolutely clear — I'm here to help!

    Take care!

    Best,
    Silvo

  6. Chris Rudzki
    Happiness Engineer at Automattic
    Posted 1 year ago #

    You're very welcome, Silvo. I'm glad we could get this sorted out. :)

  7. jmckiernan86
    Member
    Posted 1 year ago #

    Chris, thanks for updating, however it still says "1 security threat" on the top admin bar of WordPress. The only difference is it now shows that 2.6.1 is the vulnerable version when you click on the notification. I realize that 2.7 version of plugin is safe but you guys may want to update that also. I already tried deactivating the plugin then reactivating and the message still shows.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.