We just received that notification, too. I hope this is updated very soon since we love using it.
Version 0.91.0 just went out which should address the issue.
Sorry for the scare, but as Wordfende describes, the issue needs an authenticated attacker, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. So you’d need an authenticated attacker, with access to the server filesystem so they can upload/modify a file, to make use of this vulnerability.
The system would have been compromised already to use it. Most WordPress blogs are not in danger, unless a malicious user has already gained access to their website (in which case, the problems they could cause are much bigger than what they could achieve with List Category Posts).
Thanks, and hope you can keep enjoying the plugin 🙂
Thank you for the update and the context!
We have version 0.91.0, which shows the Security Risk in Jetpack Protect. Do you have an idea when it will be fixed?
Fernando, does your comment about 0.91.0 having just went out mean that you will be addressing the vulnerability, just not immediately since you just did a release?
Clients get nervous when they see the warning from Wordfence, Jetpack, etc. I understand the risk is low due to the needed access levels and that Wordfence’s WAF may provide protection anyway. It’d be good to be able to tell the clients that the risk is minimal and that a future update will address it rather than not knowing if it will be addressed or not. Thanks!
Is there an update to the 0.91 version? It’s being dinged as a security risk. Thanks for your help.
Patchstack and otehr DB are still reporting security risk, is there a fix going to be released soon?
Hi there! I’m just checking in to see if the current security issue is being addressed. This week it has shown up on ManageWP. (via Patchstack) I only ask because in our monthly reports, our clients will see the vulnerability and will have questions.
Thank you so much!
Yep. .91 still kicking off a report from Solid Security (since May 15)
Still unpatched.
Any plans to patch it?
It gives me anxiety.
Wordfence and ManageWP still show it as vulnerable too which gives clients anxiety.
Please read Fernando’s reply above, it explains the issue in enough detail. It’s worth adding that in the current version users are only allowed to include files from the dedicated template directory, server administrators put LCP templates there for later use. This is the core of the template feature of this plugin, to “fix” the reported vulnerability would be to remove the feature, which is unacceptable for most users.
Admins with write access create templates and it’s their responsibility to maintain secure templates. So this is clearly not a contributor level privilege escalation issue as the report suggests.
We understand what Fernando is saying but our clients who see the listed vulnerability on their monthly reports aren’t able to understand what is happening. All they see if the red flag. Could you please fix it so we don’t have to keep trying to answer their panicked questions?
This is an issue with the systems reporting a red flag on the plugin. As the report says, the security issue has a low severity impact and is unlikely to be exploited. I think it’s good to let users know of potential issues, but the risk here is extremely low. A WordPress system won’t be any less secure by using this plugin. To get to the level of compromise needed to “exploit this vulnerability”, the system would be extremely vulnerable in many other dangerous ways. There is no planned “fix” at the moment, as this is a core feature of the plugin and we don’t consider it a security vulnerability.
This plugin has been built as a voluntary effort in the spirit of free software. I understand others have built their businesses out of using free software, but this is not a business to us.
You are obviously free to stop using the plugin if you’re not happy with any of this.
