Plugin Support
Temyk
(@webtemyk)
Vulnerability fixed in update 1.2.5. And about it there is a message on a support forum
and also record in a changelog
1.2.5
Fixing vulnerabilities
Please correct the rating, because what you wrote is not true.
I checked the change log when I was looking at plugins to try and find this issue. It was not there. If it had been there, it could have saved some time. When did you put that in? Six days after you knew of the issue and worked on it? It was true. That you decide to retroactively update things after isn’t my fault. This should have been done on day one.
Plugin Support
Temyk
(@webtemyk)
We released an update with fixes as soon as we learned about the vulnerability. That was 7 days ago.
Yesterday, when you wrote this review in the changelog already had information, but you have not checked. And we also recognized the vulnerability
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
I think the confusion here is that the Readme was updated 27 hours ago to document the fix, but the fix was actually added between 2 and 7 days ago.
@anevins is correct.
The problem here is that a severe security breach took place. Everyone makes mistakes. I’m glad you fixed the problem. However, my concern is that you didn’t notify anyone of the problem in a acceptably professional manner. You put a huge banner on the website back-end as an ad. That’s fine. But why not notify everyone who has your plugin installed that they need to update ASAP or risk having malicious links inserted into their site in a similar way? Or at least put it in the change log and plugin notification on day one? I’ve seen others do this. You did not. This caused damage to three different websites I manage, and I spent hours working on fixing this problem because of this poor notification.
Does this all make sense? I appreciate the work you do with providing a free plugin. However, there is a responsibility for making sure your plugin does not harm other people’s websites, and part of that is making it clear that your plugin needs to be patched to prevent a malicious attack. I posted this review not to hurt you, but to help other people (because you weren’t doing it). I didn’t check the change log again before posting, but the damage had already been done.
I believe others continue to have this problem, or am I wrong?
Plugin Support
Temyk
(@webtemyk)
Indeed, we were in a hurry and forgot to immediately indicate the changes in the changelog.
We have no way to notify plugin users about anything. We can only release an update.
In any case, to fix the vulnerability, you need to update the plugin, and many immediately updated it, despite the fact that the changelog did not specify the reason for the update.