Critical vulnerability found by Wordfence

Resolved maxbelloni
(@maxbelloni)

3 years, 7 months ago
Hello,

Just got a message by Wordfence which alerts about AdRotate vulnerability (never got a message like this in the past)

Link to the capture screen of the message: https://imgur.com/a/hIG4DmQ

Any idea?

Regards
- This topic was modified 3 years, 7 months ago by maxbelloni.
- This topic was modified 3 years, 7 months ago by maxbelloni.

Viewing 10 replies - 1 through 10 (of 10 total)

NetMonkey
(@headmonkey)

3 years, 7 months ago

I received the same message. What’s being done about this dev team? The dev team needs to give us an update on this soon! Our websites are at risk and we need to know if we should delete this software to maintain security on our websites!

Plugin Author Arnan
(@adegans)

3 years, 7 months ago

It’s a false report as far as I can tell – https://wordpress.org/support/topic/multiple-cross-site-request-forgery-csrf-vulnerabilities-2/
hutchman
(@hutchman)

3 years, 7 months ago
Blogvault flagging it as well.
```
AdRotate Vulnerability
Category:PLUGIN

Versions-Affected:<= 5.9

Type:Cross Site Request Forgery

Severity:MEDIUM

Description:Multiple Cross-Site Request Forgery (CSRF) vulnerabilities leading to resetting some of the maintenance settings (Reset tasks, Disable the third party, Update Database) were discovered by Muhammad Daffa (Patchstack Alliance) in the WordPress AdRotate Banner Manager plugin (versions <= 5.9).
```
Plugin Author Arnan
(@adegans)

3 years, 7 months ago

See my earlier reply.

Plugin Author Arnan
(@adegans)

3 years, 7 months ago

Addressed in version 5.9.1 – update now.

Fropky
(@fropki)

3 years, 5 months ago

wordfence still saying it is not patched yet. Why?

Plugin Author Arnan
(@adegans)

3 years, 5 months ago

Dunno, I don’t work for them.
Fropky
(@fropki)

3 years, 4 months ago
Arnan,

No doubt you have created a great plugin and we are indebted by your free services however your general behavior is not good.

When someone reported an issue. Your first reaction was it is a false report. before publishing such bugs the security expert do report it to plugin author.

You later said that issue is fixed in later version. So you accepted at later stage that there was an issue.

Now I am just asking why it is not showing as fixed on plugin security vulnerability site and your answer is not up to the mark.
- This reply was modified 3 years, 4 months ago by Fropky.
Plugin Author Arnan
(@adegans)

3 years, 4 months ago

It was a false report indeed and I only made an edit because they made their report and everyone else believed it to be an actual vulnerability. While it was not.

If you know my code better or the risks of clicking a button that requires admin access to work that then does nothing can can be hacked, leaked or stolen, please enlighten me…

As far as I know the report from whoever found it has been marked fixed.
So if WordFence didn’t update their stuff that’s outside my control.

Plugin Author Arnan
(@adegans)

3 years, 4 months ago

I’ve told WordFence to update their database.
Hopefully they’ll fix it soon 🤨

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Critical vulnerability found by Wordfence’ is closed to new replies.