I’m not sure this is a false alarm. According to WP Vulnerability Database (here is the link) and the associated documentation within, ManageWP confirmed they were not activating the plugin or providing support in response to the vulnerability.
Timeline
2019-09-05 Identified the vulnerability
2019-09-06 Contacted ManageWP
2019-09-09 Contacted plugins@wordpress.org
2019-09-10 Response by ManageWP requesting more details
2019-09-11 Response by ManageWP that they are not actively maintaining the plugin and don’t provide support
2019-09-20 CVE assigned
2019-10-16 Public disclosure
Honestly – even if the vulnerability is a false alarm, ManageWP’s response to the inquiry is enough to remove it from every site you have because it’s only a matter of time before there is a real problem that they aren’t going to resolve. Why wait until it’s too late?
-
This reply was modified 2 years, 2 months ago by
cgscomputers. Reason: Ticking for email replies
-
This reply was modified 2 years, 2 months ago by
Jan Dembowski.
-
This reply was modified 2 years, 2 months ago by Jan Dembowski.
Hiya,
We’re looking into the matter, we had not been made aware of any potential issues with the plugin, and this is why there’s not been any action taken on our part here at WordPress.org.
The plugins team has been informed of the topic, and are investigating.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
If you need support for this plugin then please start your own topic. I have archived the pile on replies.
https://wordpress.org/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too
You can do so here.
https://wordpress.org/support/plugin/broken-link-checker/#new-post
-
This reply was modified 2 years, 2 months ago by Jan Dembowski. Reason: NUTS. Misread. Still, start your own topic please
Hi, not informed ?
1 week past with this topic : https://wordpress.org/support/topic/security-reflected-xss/
Please be sincere tell us if you want more maintain this plugin.
Thank you
-
This reply was modified 2 years, 2 months ago by
Emil1.
Looks like, they published another tool for their management plugin:
https://managewp.com/blog/link-monitor-ea-release
So they don’t need anymore Broken Link Checker. But here and on their website there is no official statement if they support this plugin no more ;-(
I’ve offered a couple times to manage the plugin this year, and tried to address major issues in the support forum this year, and run a fork with commits from the community that clean up some of the most frequent problems.
I don’t think it makes sense to fork yet another officially registered plugin to further fragmentation, but in any case, you can try the plugin with the patches that some people and I have improved here: (download zip under green button, should drop in as a replacement).
My request to manage this plugin under a community-focused approach stands!
URL: https://github.com/HongPong/broken-link-checker
I really think there needs to be a “Plugins Code of Conduct” that when a company decides to abandon a plugin, that they notify the community and ask if someone wants to take over it.
Thank you @hongpong for stepping up!
I WISH ManageWp would reply here
I would appreciate it very much if hongpong and others manage this really helpful plugin with more than 700.000 Installations.
Includes the version on github also a fix for the Authenticated Reflected Cross-Site Scripting (XSS)?
thanks for your support!!
@wpgerd take a look at the commits listed on github, as well as the issue list. per the forum rules i think i can’t say here exactly how this has been resolved?
I don’t know officially. But it seems something has already been decided about the plugin.
@hongpong as you may have seen GoDaddy’s response on Twitter… a company rep said they’re in the process of turning over ownership of the plugin. That it’s just days away. I asked the GoDaddy rep to keep us users informed in this support thread. Hopefully, we’ll hear something soon. Cheers, Peter
tazz
(@tazwordpress)
Hey folks, let me re-iterate what my colleague Nemanja also disclosed on Twitter. We have been looking for some time for a team that has previous contributions, activity in the WordPress space, reputation and team size (a.k.a. willingness and resources) to properly maintain and invest into this plugin.
We finally found a great team willing to do just that and we are in a final stages of the adoption process. We are hoping to wrap up everything and have an official announcement soon.
P.S.
Thanks for getting in touch with us Peter.
-
This reply was modified 2 years, 2 months ago by
tazz.
Hey there, everyone!
We’re happy to announce that we have taken over the maintenance of this plugin, and we have released an update, so the security issue is now solved, feel free to update and report any new issues.
We’re happy to help!
Regards,
Jorge – WPMU DEV
Thank you Jorge!
I am sure many many people will be very happy with your news.
Best regards,
Monique
Thank you Jorge!
I’ll announce this to my WordPress students
🙂 Christina
@wpmudev-support7 Awesome! Thank you so much! Is it possible to get this plugin somehow on WPEngine’s approved plugin list? Right now, they won’t let users install it.
Thank you. Peter
