Plugin security issues

  • Resolved frisbee9580

    (@frisbee9580)


    4 months, 1 week ago

    Hi,

    We are evaluating the plugin and did a quick code quality review as of version 1.1.93.
    Could you advise on the following items?

    1. SSL Verification disabled on remote requests
    We found multiple wp_remote_get(…, [‘sslverify’ => false]) calls when downloading labels and
    other resources. This is a potential security risk.
    Why is SSL verification disabled?

    2. Remote downloads using file_get_contents()
    We saw file_get_contents($file_url) used to download remote label files (no WP HTTP API,
    timeouts, or error handling).
    Can this be replaced with wp_remote_get() with explicit timeouts and safe handling?
    Are the remote URLs always guaranteed to be ShipAny-owned/whitelisted?

    3. Caching/writes inside the plugin directory
    The plugin creates/writes to wp-content/plugins/shipany/cache and attempts mkdir(…,0777) / chmod(…).
    Not sure that’s suitable for Bedrock/Trellis projects where plugin directories are read-only. Not runtime storage. The permission choices are also questionable.

Viewing 1 replies (of 1 total)
  • Plugin Author shipany

    (@shipany)

    3 months, 3 weeks ago

    We are pleased to inform you that version 1.1.95 has been released. Please try it and share your feedback, and kindly let us know if you encounter any further issues.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.