patrick1994
Forum Replies Created
-
This is a known critical vulnerability. In plain English, any dummy with basic programming skills can take overtake your website.
It has been fixed in v 2.8.8, see this cute changelog entry:
2.8.8 β 2024-01-01
Improvement: Added sanitization and escape functions in POST SMTP Mobile App QR code scanning windowNot very clear? Yes. Apparently, most plugin vendors do it that way.
Forum: Plugins
In reply to: [Redirect 404 to Homepage] Please update the version number on updatesThanks for providing an explanation. I am not owed one, I appreciate it.
While I agree with the principle, I disagree with your assessment that 100% of the updates were minor based on these update descriptions:
- [4 years ago] Don’t redirect wp-admin 404s
- [2 weeks ago] Avoid possible XML redirects
- [5 months ago] Change to template_redirect [that was in response to a huge post describing redirection stuff]
We can leave it at that, all I did was ask.
I subscribed to the RSS feed for the next time an update comes out where we disagree on how minor it is.
[Edit: fixed wrong times in the list π ]
- This reply was modified 2 years, 10 months ago by patrick1994.
thanks π
They marked it as fixed.
Same link as yours: https://patchstack.com/database/vulnerability/flo-forms/wordpress-flo-forms-plugin-1-0-40-cross-site-scripting-xss-vulnerability?_a_id=431
Please fix the critical stuff, at least or bump the PHP version requirements.
The only critical problem with PHP 5.6 compatibility I see is this:
advanced-access-manager/application/Core/Jwt/Manager.php line 366
protected function jsonEncode(array $input): stringThe other stuff appears fine to me or is used for command line stuff judging by the name “cli.php”, which appears like people can live with being broken on PHP 5.
- This reply was modified 2 years, 11 months ago by patrick1994.
Hi there,
I don’t see an update nor a “won’t fix” explanation.
The security nerds over here say it is still not fixed: https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
The security nerds over here say it is still not fixed: https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
Not completely, though, right?
CTRL+F for “??” here:
Forum: Plugins
In reply to: [Ultra Addons for Contact Form 7] Multi-step form “Next” not workingI disagree with this solution of adding a fake name [uactf7_step_end fake-name] or [uactf7_step_end end] or whatever you want to call it. There is a real fix and you should go through this plugin and check if it needs to be applied elsewhere, too.
The last param in the code below (“true”) needs to go away.
Here: plugins/ultimate-addons-for-contact-form-7/addons/multistep/multistep.php line 19
wpcf7_add_form_tag( ‘uacf7_step_end’, array( $this, ‘step_end_tag_handler’ ), true );Because this param enables a name attribute for this tag and from Contact Form 7 5.7.3 onwards (I did test 5.7.2 to verify), if a name attribute is supported, it has to be provided, else the tag is shown as is (it says “[uacf7_step_end]” on the page so you need to say “[uacf7_step_end fake-name]” for it to work as expected).
Same issue and solution as with the Image Captcha plugin, see this thread, also by me: https://wordpress.org/support/topic/captcha-no-longer-displayed-because-it-supports-a-name-attribute/
Since some people have already applied your solution, it would be a reasonable worry that my fix would break things. But I did verify that both [uacf7_step_end] and [uac7f_step_end end] work, so nothing should break.
thanks for answering
The author of the image captcha plugin had fixed it.
Thanks for the quick fix. π
I have reported this problem to the CF7 people, too, in case they care.
Update: The parent directory coincidentally also contained a includes/defines.php (a Joomla installation).
So I can fix it in my case by removing ‘..’ from the include_path. Though, the conclusion remains: Please replace
require_once βincludes/defines.phpβ;
with
require_once __DIR__ . β/β . βincludes/defines.phpβ;
in wp-statistics.phpOk, don’t close just, yet, please. A solution will be posted. Maybe by myself.