Ronny Adsetts
Forum Replies Created
-
Forum: Reviews
In reply to: [ALTCHA Spam Protection] V2 is out and it sucksJust found your review when I updated to the latest version of the v1 plugin just now and got lots of nags about upgrading to v2 which I was previously unaware of…
The license changed on v2 of the plugin too. From GPL to a proprietary license. No longer in the WP.org repo either. I too will stick with the v1 GPL plugin for now and keep an eye on how things change.
Forum: Plugins
In reply to: [ALTCHA Spam Protection] WooCommerce Checkout IntegrationAdditional info in this. There’s a Woo blog post on card testing attacks via the Store API:
https://developer.woocommerce.com/2024/12/18/card-testing-attacks-and-the-store-api/
The post contains info on implementing CAPTCHA for the Store API.
Finally, here’s their (Woo’s) PR for adding this functionality to the CF Turnstile plugin as it might help:
https://github.com/ElliotSowersby/simple-cloudflare-turnstile/pull/31
And the reCAPTCHA one by the same author:
https://github.com/ElliotSowersby/recaptcha-woo/pull/6
We’re currently seeing this on one of our sites and I’m looking for a CAPTCHA solution that doesn’t necessitate GDPR consent. If I can get the go-ahead, I’ll try and add this functionality myself. No promises though.
- This reply was modified 7 months, 4 weeks ago by Ronny Adsetts. Reason: Edited to correct the PR for the Turnstile plugin
@ingarb I’ve applied the following patch which at least means that mc_insights_suggested_price_micros is no longer NULL in the SQL INSERT:
--- PriceBenchmarks.php 2025-06-27 21:52:18.758304063 +0100
+++ htdocs/wp-content/plugins/google-listings-and-ads/src/MerchantCenter/PriceBenchmarks.php 2025-06-27 21:54:44.264176871 +0100
@@ -106,7 +106,7 @@
'mc_product_price_micros' => $price_competitiveness['price_micros'],
'mc_price_benchmark_price_micros' => $price_competitiveness['benchmark_price_micros'],
'mc_price_benchmark_price_currency_code' => $price_competitiveness['benchmark_price_currency_code'] ?? '',
- 'mc_insights_suggested_price_micros' => $price_insights['suggested_price_micros'],
+ 'mc_insights_suggested_price_micros' => $price_insights['suggested_price_micros'] ?? '',
'mc_insights_suggested_price_currency_code' => $price_insights['suggested_price_currency_code'] ?? '',
'mc_insights_predicted_impressions_change_fraction' => $price_insights['predicted_impressions_change_fraction'] ?? '',
'mc_insights_predicted_clicks_change_fraction' => $price_insights['predicted_clicks_change_fraction'] ?? '',This doesn’t fix whether suggested_price_micros element ought to exist in the $price_insights array but it’s good practice to not assume data exists.
I’ll let you know if it causes our website to eat itself. :-).
@lynnjat7 Thanks. We’re sync’ing around 1200 products. We’re also using CRON on the server rather than WP Cron and seeing the error there on a job that runs daily.
Quick debug on this.
The PHP warning refers to line 109 of google-listings-and-ads/src/MerchantCenter/PriceBenchmarks.php. The array being referenced is $price_insights. Lines 110-114 also refer to this array but the difference is that these lines are all null-coalesced whereas line 109 is not.
That would quieten the warning.
We’re seeing the same warnings too. This is definitely an issue with the plugin. Please could you investigate the reports rather than fobbing people off?
PHP Warning: Undefined array key "suggested_price_micros" in /home/***/wp-content/plugins/google-listings-and-ads/src/MerchantCenter/PriceBenchmarks.php on line 109This is with PHP v8.2 but that warning is not specific to any PHP version.
Thanks.
Forum: Plugins
In reply to: [WP-LESS] WP LESS 1.9.3-3 is vulnerable to Sensative Data DisclosurePlugin has now been updated fixing this issue. The version string has not been changed unfortunately.
Forum: Plugins
In reply to: [WP-LESS] WP LESS 1.9.3-3 is vulnerable to Sensative Data DisclosurePatchstack have responded – we’re out of luck there:
“unfortunately, we can’t share sensitive information with 3rd parties. We can only provide vulnerability data to the plugin author. Thank you.”
Forum: Plugins
In reply to: [WP-LESS] WP LESS 1.9.3-3 is vulnerable to Sensative Data DisclosureI have no idea of the details of the issue. I’ve written to Patchstack to try and get the bug details. I’ll let you know what they say when they respond.
As far as forking goes, the plugin github appears to be here:
https://github.com/thom4parisot/wp-less
I’ve logged an issue on Github for this issue. Hopefully the plugin author will respond.
Forum: Plugins
In reply to: [WP-LESS] WP LESS 1.9.3-3 is vulnerable to Sensative Data DisclosureYes, it looks like it’s potentially abandoned, or at best neglected. Unfortunately we have a site we’re responsible for maintaining that uses a 3rd-party theme that relies on this plugin.
The good news is that the plugin is on github so can potentially be forked if needed.
Forum: Plugins
In reply to: [WP-LESS] WP LESS 1.9.3-3 is vulnerable to Sensative Data DisclosureWordfence is reporting this security issue too:
According to Patchstack, this was first reported on 4th Feb and published publicly on the 3rd April.
It’s not clear to me what sensitive data is available via this issue. I could write a patch if I could find the actual details.
I think you need to be the plugin author to “claim” the plugin via Patchstack.
Ronny
@viablethought Thanks, makes sense. Irritating that Wordfence can’t deal with this rather than just flagging all the files as bad and scaring the bejesus out of us before coffee! ;-).
I’m seeing this too on a customer’s site. A bit disconcerting. :-).
Ronny
Thanks for the update, it’s appreciated.
Whilst the security issue was indeed minor, it was reported 10 months ago. If you don’t intend to maintain the plugin in a prompt fashion, I’d suggest having it removed from wordpress.org. That way, we know where we stand and can move on rather than having to wonder if perhaps a fix will happen.
Ronny
There has been an update to resolve this issue, however it took a 1-star review (mine) and negative comment to prompt the update.
Ronny