slewisma
Forum Replies Created
-
Yes, 5.1.3 still works correctly in my test site here.
Forum: Plugins
In reply to: [List category posts] Vulnerability posted by WordfenceIn case it is helpful, here are some tips from Wordfence for securing local file inclusion when it is needed: https://www.wordfence.com/blog/2025/10/how-to-find-local-file-inclusion-lfi-vulnerabilities-in-wordpress-plugins-and-themes/#how-to-prevent-lfi-vulnerabilities
Not sure if these are practical in the List Category Posts code or not but thought I’d post them here in case they’re helpful for addressing the security risk while not breaking an important part of how the plugin works.That 5.1.2-1 experimental release does fix the problem on the sites where I use Toolset and Font Awesome. I tested on a copy on localhost.
I opened a ticket with Toolset today referencing this support post as they seemed to want proof it was a Toolset issue before doing more work on their side of things in older, now closed, tickets. Your post from yesterday seems to explain it pretty well. Not sure if they’ll act on that or not.
Having the same issue on a bunch of client sites where I use Toolset. My workaround is to not use the Font Awesome plugin and load Font Awesome by script instead. Since I don’t need access to font awesome in classic or block editor, this works for me but I’d still prefer if Toolset and Font Awesome can work this out and fix it in either or both plugins.
Forum: Plugins
In reply to: [List category posts] SECURITY RISKWordfence and ManageWP still show it as vulnerable too which gives clients anxiety.
This update appears to have fixed the issue. Thank you.
Any progress on this issue? Most other plugins fixed this last year when it first started happening with a WordPress update. It is filling the error logs on servers.
Forum: Plugins
In reply to: [List category posts] SECURITY RISKFernando, does your comment about 0.91.0 having just went out mean that you will be addressing the vulnerability, just not immediately since you just did a release?
Clients get nervous when they see the warning from Wordfence, Jetpack, etc. I understand the risk is low due to the needed access levels and that Wordfence’s WAF may provide protection anyway. It’d be good to be able to tell the clients that the risk is minimal and that a future update will address it rather than not knowing if it will be addressed or not. Thanks!Forum: Plugins
In reply to: [Asgaros Forum] Vulnerability reportedThanks for the quick resolution!
Forum: Plugins
In reply to: [Responsive Lightbox & Gallery] PHP warning: Function called incorrectlyEvery other plugin maker of plugins I use on client sites that had this issue fixed it months ago. It’d be really nice to have it officially fixed in the repository version Responsive Lightbox soon.
I think I found the root cause. The customer’s Stripe account is “managed by” another business/app. That was apparently okay with the legacy checkout method but you cannot connect WooCommerce to that kind of Stripe account with the newer checkout method. Unfortunately it looks like the only solution is going to be for the customer to setup a new Stripe account directly with Stripe.
Hi Devin, it’s been a while. Nice to see you here.
My issue is that when I get to the list of businesses, it says the one I want to choose is ineligible as it is connected to another app. I am thinking I might be able to get it to work if I revoke access to the previous WooCommerce connection but, if it doesn’t work, that makes the process of reverting to the old site that much more complex which equals more downtime and late night work.
It seems like I should be able to connect WC Stripe and StellarPay since I routinely connect WC Stripe and Gravity Forms Stripe or GiveWP Stripe from the same site but it doesn’t let me.Hi Devin, good to hear from you.
Hi Ramon,
Does that code return without unsetting the buttons if there is no subscription involved? I’m seeing these buttons on regular products, not subscriptions, on the site where I discovered the issue.My two clients are still connected. I’ll keep checking through the week as the connection usually lasts for a week or more before dropping.
Yes, each time this happens I have to revoke access and then authorize again. The ability to use an API Key doens’t seem to work on its own without the OAuth login also being in place.