v4.4.0 is vulnerable

Resolved PTaubman
(@ptaubman)

2 years, 3 months ago

WP Scan / iThemes Security Pro is reporting:

WordPress Social Warfare plugin <= 4.4.0 – Cross-Site Request Forgery vulnerability

You can see this here.

Is this anything to be concerned about? When will an update be released?

Thanks.
Paul.

The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)

anotherdave
(@anotherdave)

2 years, 3 months ago

I just logged in here to see if anyone had mentioned this yet, as I’m seeing the same thing with my client’s sites that use this plugin. Hoping for an update.

Thread Starter PTaubman
(@ptaubman)

2 years, 3 months ago

Looking for an update on this before removing it from our sites.

Any news?

Thanks.

Christine Cobb
(@chriscobb)

2 years, 3 months ago

Anyone seeing a resolution to this? Thinking about switching to a different solution.

Thread Starter PTaubman
(@ptaubman)

2 years, 3 months ago

I gave up and emailed support. Initially I was told to upgrade my plugin by deleting what was installed and then reinstalling from the repository. This was fruitless since it installed the same version 4.4.0.

When I pointed this out, I was then informed:
“Thanks Paul – Our development team is going to reach out to them.”

So perhaps it is a false-positive (although on WPScan – https://wpscan.com/vulnerability/7140abf5-5966-4361-bd51-ee29d3071a30 – it shows as vulnerable still).

Hope this helps.

Christine Cobb
(@chriscobb)

2 years, 3 months ago

I also emailed support the link from Wordfence. https://www.cve.org/CVERecord?id=CVE-2023-0403

Plugin Author WarfarePlugins
(@warfareplugins)

2 years, 3 months ago

Hi @ptaubman @chriscobb @anotherdave
Sorry for the confusion here. This is a false positive and we have been hoping that they would update their sites before we reported back here. I know this was 5 days ago, but we do not monitor WP support channel on the weekend. We will do better in the future because I see this is a justifiable concern for all of you. If you look at Wordfence report, you will see that the vulnerability has been patched weeks ago. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-warfare/social-warfare-430-cross-site-request-forgery

And in truth, this “vulnerability” was not really a vulnerability. Basically the vulnerability allowed a hacker with “user” permissions (which is any current paid customer) to be able to log in and temporarily disconnect FB handshake on someone else’s account. But on the next cron, the handshake would fix itself. So why would a hacker waste their time trying to annoy someone with a temporarily disconnected FB.

But, this is a vulnerability and we take security very seriously.
And it has been patched. We will be releasing 4.4.1 and fix a few other minor bugs. We want to always try to improve and be the best social sharing plugin on the market.
Thank you

Christine Cobb
(@chriscobb)

2 years, 3 months ago

@warfareplugins thanks for the clarification

Plugin Author WarfarePlugins
(@warfareplugins)

2 years, 3 months ago

Thank you for your patience and cooperation as we work to increase our support staff for our growing number of users on our platform

anotherdave
(@anotherdave)

2 years, 2 months ago

@warfareplugins thank you and the team so much!

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘v4.4.0 is vulnerable’ is closed to new replies.