Hello everyone, we understand that you’re concerned about this reported vulnerability. Unfortunately, we haven’t had any communication with Patchstack – the ones who identified and published the vulnerability.
We’ve dealt with other security companies before – when they find a vulnerability, they send us an email disclosing the vulnerability. As long as we work on fixing the issue, they don’t go public with it.
But in this case, proper ethical disclosure procedure has not been followed – Patchstack hasn’t contacted us about the vulnerability. They’ve done the same thing with another one of our plugin. No emails, they just published a vulnerability.
One more weird thing: normally, when a vulnerability is posted publicly, it includes a detailed description of an example exploitation (proof of concept) – see: https://wpscan.com/vulnerability/12bf5e8e-24c9-48b9-b94c-c14ed60d7c15/ (this old vulnerability has been fixed a long time ago). So, we have no idea where this vulnerability is and therefore, we can’t fix anything. However, we are still going through our codebase to see if there is any issue.
We’re trying to contact Patchstack and get this sorted ASAP.
Hi, @pg-fun
We’ve seen this report page from patchstack but this doesn’t help us much since it does not contain details about the vulnerability nor does it have a proof of concept exploit.
Patchstack also hasn’t followed ethical disclosure practices to contact and infrom us about the vulnerability before going public with it.
https://www.hackerone.com/knowledge-center/why-you-need-responsible-disclosure-and-how-get-started
Hi @permafrost06 that is disappointing to read. i am stunned that PatchStack have not contacted before disclosing etc publicly..
Have you reached out to them – and no response ?
I have just seen v2.05 update – i am in the process of updating / installing that update!!
Patchstack advise me they contacted / reache dout etc to you the developer / vendor of this plugin beginning of 2025 as when the issue was responsibly disclosed early January 2025.
I have asked patchstack to check v release to see if that is a fix / official fix
but they tell me you have to conatc them to advise of v2.05 release
check all your emails boxes for emails from PatchStack )junk and spam as well?)
v2.05 installed and all appears fine – just waiting for Patchstack to catch up ref the new update to v2.05
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
*Reads. Archived some redundant replies. Has more coffee.*
Excuse me for getting a little off topic for a second.
*Has more coffee, so good.*
@patchstack If you intend to contact a developer of a WordPress plugin hosted on this site then you must contact the plugin team via plugins[at]wordpress.org with the details. They have been able to successfully and responsibly inform plugin authors.
If you try other methods and you do not hear from a developer then do that and contact the plugins team. Seriously. If you don’t then do not tell people you contacted the developer. Instead say “we tried and failed as we did not get a reply” which is more correct.
The plugins team works with many responsible teams reporting vulnerabilities all the time. If they can’t contact the developer then they can do other things if necessary.
Plugin Contributor
Saad
(@protibimbok)
Hello,
v2.0.5 has been released with improved XSS protection.
Even though don’t know for sure if Patchstack is reporting about those exact ones, we will continue to improve and coordinate with them to fix the ones they are reporting.
Thank you
i concur – yes all good
but we have now WordPress v 6.8 is out – so your plugin just needs “compatible up to v6.8” ?
tested testing or what evr is needed for that ? apols i am not a developer programmer type!!
@darius_fx ,
It seems like it’s flagged as not fixed again.
Can you please send us the details to [email protected]?
I couldn’t find the details you sent last time.
So we know exactly what to fix.
Kind Regards.
