Support » Plugin: Strong Testimonials » Plugin withdrawn from WordPress.org

  • Resolved Manni02

    (@manni02)


    It looks like the plugin has been temporarily withdrawn from WordPress.org and isn’t available for download (I was alerted to this by Wordfence).

    Please could you explain why?

    Wordpress says it’s under review, but there is no further explanation.

    Thanks

Viewing 15 replies - 1 through 15 (of 25 total)
  • Michael

    (@blackvx)

    I’m also interested to know what is going on with this.
    Thanks

    bluevelvetelvis

    (@bluevelvetelvis)

    Yes please. Would love an update. Thanks!

    Plugin Author Cristian Raiber

    (@cristianraiber-1)

    Hey folks,

    sorry for the late reply. We’ll be able to disclose more after we get the plugin unsuspended and an update released.

    It’s nothing to worry about and the plugin isn’t going anywhere soon. We’re fully committed to maintaining it and releasing updates.

    FWIW, this is concerning a security issue that could be potentially exploited under specific circumstances. We’re working on a patch and will submit it soon. It’s usual for WordPress.org to suspend plugins in case of security issues and then review them to minimize the possibility of the issue spreading.

    FYI, this issue appears to have been in the plugin since it was launched.

    Stay tuned for an update very soon πŸ™‚

    All the best,
    Cristian.

    hugowachters

    (@hugowachters)

    thanks for the information.

    Thread Starter Manni02

    (@manni02)

    Great thanks for the update πŸ™‚

    bluevelvetelvis

    (@bluevelvetelvis)

    Thanks for keeping us in the loop! Love this plugin.

    supahduck

    (@supahduck)

    Given that the suspension is in regards to a potential security issue, would you recommend disabling the plugin for now, until an update is released?

    Just trying to minimize security exposure for my clients.

    Thread Starter Manni02

    (@manni02)

    I wouldn’t go as far as disabling the plugin as it might cause cosmetic issues where testimonials are displayed but I would prevent uploading user files if it’s something your clients allow in the plugin settings. That’s assuming they already have a firewall installed (Wordfence, Sucuri, etc).

    supahduck

    (@supahduck)

    Already running Wordfence on all my client installations, and user uploads are not permitted (just using the plugin to publish testimonials submitted out-of-band, not allowing “public” uploads).

    If the attack vector is purely through the upload functionality, then I’ll just make sure that it’s locked down, until we get more info/updates.

    Thanks, Manni02!

    Thread Starter Manni02

    (@manni02)

    Just to clarify, I have no idea where the issue is in the plugin, it just looks to me that the public file upload feature is an obvious hole to plug until we find out, short of disabling the whole plug-in.

    supahduck

    (@supahduck)

    I would agree, Manni02, in most of the recent vulnerabilities in other plugins, it’s usually insufficient user validation checks (the dreaded isadmin() mistake), which allows all sorts of damage via malicious uploads.

    Glad to see that WP/Cristian/Machothemes are being proactive about this. πŸ™‚

    Plugin Author Cristian Raiber

    (@cristianraiber-1)

    The issue is not related to uploads πŸ™‚ It’s something completely different.

    We’re waiting for the offical review of the plugin. Once that’s ready and approved, we’ll be able to make the actual bug public for everyone.

    Thanks for being so patient with us!

    /Cristian.

    davesyntax

    (@davesyntax)

    Looking forward to the update / more info.

    blmbmj

    (@blmbmj)

    Are there any updates?
    Do you know how much longer, I am beginning to become a little worried.

    Thanks.

    singingcyclist

    (@singingcyclist)

    If its not to do with the uploads, should we all be worried – I have quite a few sites using this plugin. Please can you let us know how long it will be until an update?

Viewing 15 replies - 1 through 15 (of 25 total)
  • The topic ‘Plugin withdrawn from WordPress.org’ is closed to new replies.