Support » Plugin: All In One WP Security & Firewall » Issue 114 of github regarding vulnerability disclosure policy

  • Resolved doolyo

    (@doolyo)


    Hello.

    I have seen that there is someone having found a security issue, and even coded the fix for you on issue 114 of github of AIOWPS:
    https://github.com/Arsenal21/all-in-one-wordpress-security/issues/114

    Did you give him an answer, and also could you get his code so that you could fix the issue? I did not see any new version update for that security fix since he posted it.

    I think it is quite critical as it means that there is a security hole and others might potentially take advantage of it so better trying to get that fixed through this coder.

    Thank you.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hi,

    Thank you for flagging this. I have personally made the development team aware of this.

    Thread Starter doolyo

    (@doolyo)

    Thank you very much!

    Plugin Author David Anderson

    (@davidanderson)

    I gave him my details. But note that he says “in the admin panel”. You have to be a logged-in admin already to see the AIOWPS admin panel. On various plugins I receive incorrect security reports from people who think that “step 1: log in to WP as an administrator using a valid username and password” is a valid first step in describing a security problem. (It isn’t, because the admin is already all-powerful – once you’ve logged in as admin, you can do anything already). So if this is the same sort of report as those, then there’s nothing to worry about. We’ll see if he gets back. I’ll mark this as closed for now.

    Thread Starter doolyo

    (@doolyo)

    Ok great.
    I think it is also important that you would show some sort of way to contact you to send you fixes or Pull Requests with the fix, but in an anonymous or non-public way (well, his security fixes submit policy he talks about). A simple contact form and page should do it probably like on all sites, using Contact Form 7 for example. I would recommend to have such a way to leave people provide you with security fixes in a convenient and secure manner, for next fixes too.

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.