Support » Plugin: TablePress » WordFence Alerts Critical for Vulenrability

  • Resolved Michael Kraus

    (@mjkraus)


    Hello,

    When scanning recently with WordFence, the TablePress plugin shows a critical vulnerability and the text below:

    Plugin Name: TablePress
    Current Plugin Version: 1.14
    Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “TablePress” until a patched version is available. Get more information.(opens in new tab)
    Repository URL: https://wordpress.org/plugins/tablepress(opens in new tab)
    Vulnerability Information: https://www.cve.org/CVERecord?id=CVE-2019-20180(opens in new tab)`

    When reviewing the TablePress Vulnerability via the link, it goes to a 404 page.

    Will there be a new release soon that addresses this issue and brings TablePress up to the most current compatibility?

    The Plugin is great by the way. Really useful and lots of options!

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 61 total)
  • Yes, I’ll add my vote here. I am seeing the same message:

    Plugin Name: TablePress
    Current Plugin Version: 1.14
    Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “TablePress” until a patched version is available.
    Repository URL: https://wordpress.org/plugins/tablepress
    Vulnerability Information: https://www.cve.org/CVERecord?id=CVE-2019-20180

    Hopefully, there will be a new release soon.

    Thank You!

    Yes got the same on all of my sites with TablePress.

    Plugin Author TobiasBg

    (@tobiasbg)

    Hi everybody,

    thanks for your notifications about this! I’ll be using this forums thread for updates, as I have them.

    TLDR: WordFence is currently reporting an issue in TablePress, but does seem to provide old details and ill-advised recommendations.

    At the time of writing this, I only have the same information that you all have. WordFence has not been in touch with me about this and this has taken me by surprise, just as it has you.

    The link to the Details page from their report also only returns an error for me. The mentioned CVE ID in that link does however exist — it’s a rather old report (from 2019) about a potential security issue in TablePress, which however ultimately was deemed invalid. See https://nvd.nist.gov/vuln/detail/CVE-2019-20180 for more.

    I do not know why WordFence suddenly reports this old entry again, and why it comes to that harsh recommendation regarding deactivating and removing TablePress.
    I’m currently trying to get a hold of someone at WordFence (if you can assist that would be greatly appreciated). If there really is a issue in TablePress, I will of course be fixing it as soon as possible!

    Thanks for your patience on this. I’ll be posting updates as soon as possible!

    Best wishes,
    Tobias

    Thank you so much @tobiasbg for your fast response, much appreciated!

    Yes, as many customers we were concerned by this security notification.

    We hope it’s a false positive and Wordfence will acknowledge it as soon as possible.

    Best,
    -Charbel

    Hi,
    Thanks for fast responce @tobiasbg, much appreciated.
    cheers

    I’ve just sent a support request in to Wordfence explaining that I’m concerned at Wordfence telling me to disable a plug-in that contributes important content on my website, with no explanation as to why I need to, (their Vulnerability Information link is to a page not found). And also that they would flag up a “critical” vulnerability in a plug-in but not contact the author. Obviously if I find anything out I shall report back.

    I’m curious about this too.

    Hi Tobias,
    I too have received notification from Wordfence:

    Critical Problems:

    * The Plugin “TablePress” has a security vulnerability.

    Thank You,
    Ruth

    Interesting, I’ve just received an email saying WordFence version 7.7.0 is now available. Will update and scan again to see if the warning is still present.

    Hi, the database they link to is undergoing maintenance today.

    It’s also listed here at the old site: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20180

    Edit: Looks like the new Wordfence is alerting to older CVEs now, hence this alert

    • This reply was modified 1 month, 3 weeks ago by chenryahts. Reason: edit note

    I was just going to post that 🙂

    The page refers to The TablePress plugin 1.9.2 but mine is Version 1.14?

    It’s also from 2019. Can the author confirm that was fixed?

    Plugin Author TobiasBg

    (@tobiasbg)

    Hi everyone,

    thanks for all your interest and support on this!

    I have now received a reply from WordFence, and this is indeed about the report at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20180 which talks about the security implications of opening an exported CSV file in Excel.

    Just as back then, in 2019, I deem this report to be invalid.
    If you read the description closely, TablePress is merely used to create a CSV file that brings problems to Excel. This can however be done with every simple text editor, like Notepad or Textedit, so that you would have to create an exploit report for every simple text editor software, as they all can create arbitrary CSV files.

    TablePress does not have a security issue here. It’s not producing invalid CSV files or anything like that. It’s not possible to attack TablePress, the WordPress site that uses it, or the server where it’s running on.
    It’s the programs like Excel that mis-interpret the content of a CSV file –- which they simply should not be doing.

    Regards,
    Tobias

    @tobiasbg Thanks for responding!

    Many thanks for your quick response on this Tobias. It is very much appreciated!!!!

Viewing 15 replies - 1 through 15 (of 61 total)
  • You must be logged in to reply to this topic.