Security Issues

Resolved PTaubman
(@ptaubman)

2 years, 5 months ago

It has been reported that there is a security issue with a Cross Site Request Forgery (CSRF) vulnerability.

Do you know when this will be patched? Thanks.

The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 19 total)

1 2 →

nathair
(@nathair)

2 years, 5 months ago

I had the same warning: WordPress Optimize Database after Deleting Revisions plugin <= 5.0.110 – Cross Site Request Forgery (CSRF) vulnerability

Such a pity,

Thread Starter PTaubman
(@ptaubman)

2 years, 5 months ago

The sad part is there is no word from the developer on this. I will look for a replacement.

nathair
(@nathair)

2 years, 5 months ago

Please notify when you have found a good replacement. I am on a pension now but still manage a couple of Community WordPress websites and this apparently abandoned plug-in came in very handy in keeping those databases tidy.

Thank you,
Yolanda aka nathair

Plugin Contributor cageehv
(@cageehv)

2 years, 5 months ago

Hey guys,

Does anyone has any ideas on how to fix this CSRF issue?

Thanks!
Rolf

Autosoft B.V.
(@autosoftbv)

2 years, 5 months ago

The WP toolkit running on Plesk isalso reporting the vulnerability.

@cageehv as far as i could find,
these types of issues can be prevented by using “nonces” and validating, sanitizing and escaping your code where possible,

https://wpvip.com/2023/02/28/how-to-protect-against-csrf-attacks-with-wordpress-nonces/

giggles420
(@gigglesslut420)

2 years, 5 months ago

This report from Wordfence may help:
“This is due to missing or incorrect nonce validation on the ‘odb_start_manually’ function.”

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/rvg-optimize-database/optimize-database-after-deleting-revisions-50110-cross-site-request-forgery-via-odb-start-manually

crzyhrse
(@crzyhrse)

2 years, 5 months ago

From Wordfence:

The Optimize Database after Deleting Revisions plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.0.110. This is due to missing or incorrect nonce validation on the ‘odb_start_manually’ function. This makes it possible for unauthenticated attackers to start the database optimization process via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

essjay88
(@essjay88)

2 years, 5 months ago

Same, Wordfence warnings for the 51 websites I use it on, I could cry. Such a useful plugin, I’d be interested if anyone finds something equivalent.

Plugin Contributor cageehv
(@cageehv)

2 years, 5 months ago

Hey all,

I think I fixed the CSRF issue!

Tommorow I’ll send in the fixed version for a re-review.

Many thanks to you all for being supportive and all your suggestions and hints! Much appreciated!

Rolf

essjay88
(@essjay88)

2 years, 5 months ago

Great news! Thanks Rolf

Autosoft B.V.
(@autosoftbv)

2 years, 5 months ago

Nice one Rolf!
Let’s hope this fixes things.

spiralofhope
(@spiralofhope2)

2 years, 5 months ago

It’s good to hear from you @cageehv , thanks for working on it!

webby1973
(@webby1973)

2 years, 5 months ago

Thank you Rolf @cageehv
I suggest that you contact Wordfence and others that reported the issue so they’ll know it’s fixed 🙂

Plugin Contributor cageehv
(@cageehv)

2 years, 5 months ago

Hey guys,

Good news: the updated version (5.1) has been approved after a re-review!

Thanks for your ongoing support!

Rolf

essjay88
(@essjay88)

2 years, 5 months ago

It really is appreciated Rolf, I’ve used your plugin for lots of clients over the years and I’d have no idea what could replace it! All the best (hat tip emoji)