I came here to ask this question as well… would like to know why it’s been removed as I use it on many sites.
-
This reply was modified 4 years, 1 month ago by
CGS Web Designs. Reason: Ticking for email replies
Hello @cgscomputers and @isaacbrown
Thank you for your message. There is actually a low severity edge case issue in which unauthorized users can change the plugin’s settings.
We are currently working on a fix and will be releasing the update with a fix within the next few hours.
Sorry if this has caused any inconvenience. If you require further information / clarification, please do not hesitate to contact us by sending us an email on support@wpwhitesecurity.com.
Thank you for using our plugins.
Thank you for the timely attention to this issue!
Would you be so kind as to post here when the update is available?
Thank you again.
-
This reply was modified 4 years, 1 month ago by
richsadams.
thanks for the info @robertabela!
Could you clarify if “unauthorized users” mean non-authenticated public, or just non-admin wordpress account users?
Thanks!
Thanks @robert681 I look forward to being able to set up this plugin in my MainWP Dashboard. Let us know once its back!
We have already submitted the fix and we are waiting for the administrators to approve it.
As soon as it is approved we will update this ticket.
@tmuka if you need more details, please email us at support@wpwhitesecurity.com. We’d be more than happy to answer all your questions. However, we do not want to disclose too many details until the fix is available to the public. Although there is not much to worry about, because it is a low severity edge case and it’s impact is only on our plugin and not on the WordPress website on which it is installed.
thanks, that makes sense.
Hello everyone, version 4.0.2, which includes the fix is available for download. Even though the plugin has not been reinstated yet (wrong timing because of the weekend) you can still download it from this repository.
@robert681 But as the plugin has been taken offline, the download links are not available.
Sorry @josklever
I thought everyone can see the download link. I can see it because I am the developer.
You can download the latest version of the plugin, which includes the fix from here.
I’m not sure how much my word will mean to anyone, but… Since I don’t like to blindly download stuff (especially security-related stuff), I did a quick review of the changes made to the plugin (available on the link, file hashes – MD5: 664f37ae7ff5a5f872e9450317291e6e, sha256: c9b21c1d9f7093e7ae80b19d760fe89e4a78986a62a453551deab69984d3aea1) and they check out – the changes generally fall under removal of obsolete/insecure code, or shifting reliance to WP’s own role security.
If you happen to have an old copy (say, v4.0.1) of the plugin, nothing’s stopping you from performing a comparison yourself.
@ellmanncreative I trust the developer of this plugin and the download link is placed by himself on his own website, so it’s not a shady link from a third party.
Hopefully the WP plugin team will review the update asap, so the plugin will be available for download/update again.
No, I figured that – but this issue doesn’t just affect you, and I thought maybe someone else might benefit from me saying the above.
Thank you for pointing that out @ellmanncreative
I see your point and I agree – there is no way to verify the validity of that download. I also agree that ideally one should not just download any random file.
However, in this case as @josklever pointed out (thank you for the trust!) I uploaded the file from the same place we upload the plugin on the repo. So it is safe to download, but I also understand if people want to wait until the update is made available officially via the repository.
I would argue that this is a high-risk plugin, since it deals with security and therefore is trusted explicitly. As such, with this update being highly irregular, there’s a broad chain of trust that needs to be followed:
– that wordpress.org’s security hasn’t been compromised
– that your account hasn’t been compromised:
— that you don’t reuse passwords,
— that none of the sites you also use haven’t been compromised and used to reset your security or otherwise gain access to the account
— that your website hasn’t been compromised
– that the plugin wasn’t suspended for possible security violations (wordpress.org really isn’t transparent about these things…), or otherwise made to be suspended so that people would come to the Support threads seeking help (a perfect opportunity to serve someone a malicious “update”, wouldn’t you agree?)
– that the file wasn’t prepared with malicious payload as part of an ongoing attack
etc. etc. etc.
I don’t know you. It says “plugin contributor”, but there could be anyone hiding behind that handle right now. A short-lived attack could last only a few days and be so high-profile that the attacker might not care that this vector is then permanently patched up.
On the other hand, if I trusted all of the above explicitly when I installed the plugin from wordpress.org before – I can assume (without extensive code reviews) that the existing v4.0.1 I have on my disk is safe. Therefore, checking the code diff is a relatively simple procedure that only really costs me time (and, seeing as it only took under an hour w/ other activities, it’s not that high a cost to begin with).
