Fernando Briano
Forum Replies Created
-
Forum: Plugins
In reply to: [List category posts] PHP 8.4 issueThanks!
Forum: Plugins
In reply to: [List category posts] PHP 8.4 issueHi @aliamm, version 0.94.0 is out where I tried to address this issue. Let me know if it’s still a problem in your site after updating. Thanks!
Forum: Reviews
In reply to: [List category posts] FantasticThank you kindly for your review! 🙂
Forum: Plugins
In reply to: [List category posts] post_status not working anymore after update to 0.93.0@sarahtopfstaedt version 0.93.1 is out with a fix for this issue. Please update and let me know if it’s fixed for you, thanks!
Forum: Plugins
In reply to: [List category posts] post_status not working anymore after update to 0.93.0Hi @sarahtopfstaedt, thanks for reporting this. We’ve identified the issue and are working on a patch release to fix the bug. I’ll update this post once the release is out, thanks!
Forum: Plugins
In reply to: [List category posts] SECURITY RISKPatchstack has now marked the issue fixed in version 0.92.0:
https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerabilityAs mentioned before, this is not an issue for single-user instances, and it’s very low risk for systems with several users. But it’s marked as fixed if you update to version 0.92.0. Thanks.
Forum: Plugins
In reply to: [List category posts] Security riskPatchstack has now marked the issue fixed in version 0.92.0:
https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerabilityAs mentioned before, this is not an issue for single-user instances, and it’s very low risk for systems with several users. But it’s marked as fixed if you update to version 0.92.0. Thanks.
Forum: Plugins
In reply to: [List category posts] Vulnerability posted by WordfenceOh, hadn’t seen that message, Patchstack has marked it as fixed, thanks @mountain-hiker-1!
Forum: Plugins
In reply to: [List category posts] Vulnerability posted by WordfenceI got in touch with both Patchstack and Wordfence yesterday after releasing the new version. I haven’t heard back from them yet.
Forum: Plugins
In reply to: [List category posts] SECURITY RISKThis is an issue with the systems reporting a red flag on the plugin. As the report says, the security issue has a low severity impact and is unlikely to be exploited. I think it’s good to let users know of potential issues, but the risk here is extremely low. A WordPress system won’t be any less secure by using this plugin. To get to the level of compromise needed to “exploit this vulnerability”, the system would be extremely vulnerable in many other dangerous ways. There is no planned “fix” at the moment, as this is a core feature of the plugin and we don’t consider it a security vulnerability.
This plugin has been built as a voluntary effort in the spirit of free software. I understand others have built their businesses out of using free software, but this is not a business to us.
You are obviously free to stop using the plugin if you’re not happy with any of this.
Forum: Plugins
In reply to: [List category posts] Security riskThe issue for 0.91.0 is a new one indeed. It is marked as Low priority:
“This security issue has a low severity impact and is unlikely to be exploited.”
The update in 0.91.0 makes it so that you can only include template files from the
list-category-postsdirectory in your theme’s directory. File inclussion is a core functionality of the template system, it lets users create their own templates by uploading a file and referencing it with the shortcode. For this to be used as an exploit, a malicious actor needs to have access to uploading/editing files on the server and editing posts with Contributor+ permissions. As I mentioned before, by this point the system would be absolutely compromised and what can be done with the plugin is minimal in comparison to having a compromised server and WordPress system.I’d like to fix this, but I don’t know if what’s expected is to completely remove the feature? A user with access to a WordPress system and the server is always going to be able to manipulate PHP files and include them wherever. I’m open to ideas.
I also think the reports make it look very alarming and don’t make it clear enough that this “vulnerability” needs a completely compromised system.
Forum: Plugins
In reply to: [List categories] Styling Parent CatsHi, yes, the plugin is still being supported.
To have the parent categories displayed as bold text, I came up with something like this:
.cat-item {
font-weight: bold;
}
ul.children .cat-item {
font-weight: normal;
}I think you could also solve this by using the
:notoperator to selectliitems with the.cat-itemclass, that are not children ofchildren.For your second question:
ul.children {
padding-top: 20px;
}This code will add 20px between the parent categories and their children.
Forum: Plugins
In reply to: [List category posts] Security riskVersion 0.91.0 just went out which should address the issue.
Sorry for the scare, but as Wordfende describes, the issue needs an authenticated attacker, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. So you’d need an authenticated attacker, with access to the server filesystem so they can upload/modify a file, to make use of this vulnerability.
The system would have been compromised already to use it. Most WordPress blogs are not in danger, unless a malicious user has already gained access to their website (in which case, the problems they could cause are much bigger than what they could achieve with List Category Posts).
Thanks, and hope you can keep enjoying the plugin 🙂
Forum: Plugins
In reply to: [List category posts] SECURITY RISKVersion 0.91.0 just went out which should address the issue.
Sorry for the scare, but as Wordfende describes, the issue needs an authenticated attacker, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. So you’d need an authenticated attacker, with access to the server filesystem so they can upload/modify a file, to make use of this vulnerability.
The system would have been compromised already to use it. Most WordPress blogs are not in danger, unless a malicious user has already gained access to their website (in which case, the problems they could cause are much bigger than what they could achieve with List Category Posts).
Thanks, and hope you can keep enjoying the plugin 🙂
Forum: Plugins
In reply to: [List category posts] Link “read more” to postHi @brisch, you can find the parameter
posts_morelinkin the documentation:posts_morelink – Include a “read more” link after each post. It receives a string of characters as a parameter which will be used as the text of the link. Example:
[catlist id=38 posts_morelink="Read more about this post"]