Support » Plugin: OneSignal - Web Push Notifications » Do We Need to Deactivate or Delete the Plugin to Stay Safe?

  • Resolved dlynch027

    (@dlynch027)


    Stop deleting threads without answering the incredibly critical question.

    Do I need to delete the plugin for my websites to stay secure or is just deactivating them (until a new update is available) good enough?

Viewing 1 replies (of 1 total)
  • Plugin Author OneSignal

    (@onesignal)

    Hi. We’re not aware of any threads that were deleted, but we apologize for any confusion around this.

    A security vulnerability was reported online, but we’ve determined that the vulnerability is invalid. There are no known vulnerabilities in the current version of the OneSignal WordPress plugin.

    The report pertains to a user who is an admin being able to use OneSignal to add HTML or JavaScript to their blog. But, of course, an admin can already take other destructive actions including adding HTML or JavaScript via the post composer, installing other plugins, or completely deleting the blog since they are the admin, after all.

    This invalid report is similar to one that WordPress themselves had a few years ago: https://make.wordpress.org/core/2010/12/31/the-published-exploit-for-wordpress-3-0-4-isnt-accurate/

    Standard practice when finding security vulnerabilities is to privately notify the vendor and give them an opportunity to respond. Not doing this can, prevent us from responding to invalid reports. Unfortunately, in this case, we responded to the person that reported the issue within 5 hours of receiving the report, but he had already published it, so we were not able to provide confirmation or refute the findings.

    • This reply was modified 3 months, 3 weeks ago by OneSignal. Reason: add more detail
Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.