List category posts CVE wrong affected version specifier <= 0.91.0

Resolved demmeln
(@demmeln)

8 months, 2 weeks ago

I’m getting a warning for my page for a CVE in the List category posts plugin: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/list-category-posts/list-category-posts-0903-authenticated-contributor-local-file-inclusion

According to the Description on above page, and also the plugin page (https://wordpress.org/plugins/list-category-posts/#developers), the issue was fixed in 0.91.0, so the version specifier should say < 0.91.0 (or <= 0.90.3). I’m still getting the warning, despite having updated to version 0.91.0. Unlike the description, the “affected version” field and title say <= 0.91.0, which I think might be wrong?

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Support wfpeter
(@wfpeter)

8 months, 2 weeks ago

Hi @demmeln, thanks for getting in touch.

Our reporting of this seems to be down to the vulnerability being verified and the CVE being issued by Patchstack. Wordfence will report these, even though we weren’t the entity that decided it was a valid vulnerability.

When a fix is confirmed by Patchstack, Wordfence will update shortly afterwards. We can sometimes check for a fix ourselves, but would need the plugin’s developer to reach out to us privately with the full report.

Many thanks,
Peter.

Thread Starter demmeln
(@demmeln)

8 months, 1 week ago

Thanks. I did a little more digging and there was already a discussion including the plugin author. It appears 0.91.0 is still affected with a different / similar issue. The author is aware and is debating whether it’s an issue worth alarming user about, since apparently it would require a compromised system to be exploited. It seems he is not planning to make changes, unless someone has a good suggestion of what should be done.

https://github.com/picandocodigo/List-Category-Posts/issues/537#issuecomment-3291481087

Plugin Support wfpeter
(@wfpeter)

8 months, 1 week ago

Thanks for providing the extra context @demmeln.

When we confirm a CVE ourselves, we can suggest a possible fix to the plugin developer and assist them if anything is unclear. For that reason I’d first recommend they keep in touch with Patchstack in a similar way if they need any additional guidance or help before submitting a fix. As the severity level is 8.8 (High), it may result in users making the decision to find an alternative plugin.

If they still require any suggestions, our internal Threat Intelligence team would be more than happy to review it in more detail. We will need access to the original report details in order to do that, sent with some background information about the case to wfi-support @ wordfence . com

Many thanks,
Peter.

Plugin Support wfpeter
(@wfpeter)

8 months, 1 week ago

I’ve just noticed that (as of yesterday) the plugin is considered patched at Patchstack. Our records are now updating accordingly, too.

Peter.

Thread Starter demmeln
(@demmeln)

8 months, 1 week ago

Indeed, looks like the author did implement a second patch after all (https://github.com/picandocodigo/List-Category-Posts/issues/537#issuecomment-3303308639). Thanks for checking. The warning now also disappeared from my WF scan.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘List category posts CVE wrong affected version specifier <= 0.91.0’ is closed to new replies.