Vulnerability patch?

Resolved John
(@dsl225)

1 year, 7 months ago

Hello,

Is there a patch planned for fixing existing vulnerability?

Viewing 9 replies - 1 through 9 (of 9 total)

Plugin Author YARPP
(@jeffparker)

1 year, 7 months ago

There is no known vulnerability at the moment. Can you please elaborate?

Thread Starter John
(@dsl225)

1 year, 7 months ago

Solid Security plugin (former iThemes Security) keeps sending this alert since a couple of days and I thought you got the same – although it doesn’t seem very important:

https://patchstack.com/database/vulnerability/yet-another-related-posts-plugin/wordpress-yet-another-related-posts-plugin-yarpp-plugin-5-30-10-broken-access-control-vulnerability?_a_id=431

Chad Cloman
(@chadcloman)

1 year, 6 months ago

I think normally they try to send you some sort of notification that they’ve found a vulnerability, but given what I saw on the Patchstack site, that notification would likely appear to be spam if you didn’t know what it was.

They want you to sign up for their service as a plugin developer/owner and claim ownership of the plugin. Then they’ll provide the details of the vulnerability and, once you’ve fixed it, verify the vulnerability is gone and mark it as fixed.

They pay people to find vulnerabilities. They verify the vulnerabilities and then publish them. And the Solid Security plugin (which I also use) subscribes to their service.

Sounds like it’s an actual vulnerability though.

Good luck!
kevinbrands
(@kevinbrands)

1 year, 6 months ago
We have WP Defender, it’s reporting this:

—

CVSS Score 5.3

WordPress Yet Another Related Posts Plugin (YARPP) plugin <= 5.30.10 – Broken Access Control vulnerability

-Vulnerability type: Broken Access Control
-No Update Available

—

A fix would be greatly appreciated!
- This reply was modified 1 year, 6 months ago by kevinbrands.
- This reply was modified 1 year, 6 months ago by kevinbrands.
- This reply was modified 1 year, 6 months ago by kevinbrands.
ReallyDeeJ
(@reallydeej)

1 year, 6 months ago

Still no patch? 🙁

gillico
(@gillico)

1 year, 6 months ago

another request to patch the current vulnerability, I received a message from my host last week saying it needed to be deactivated because no patch was available.
victormontes
(@victormontes)

1 year, 6 months ago
Same here
- This reply was modified 1 year, 6 months ago by victormontes. Reason: bad image
Moderator Support Moderator
(@moderator)

1 year, 6 months ago

Moderator note: NO MORE “ME, TOO” TOPICS.

If you want to follow this topic, click “subscribe” on the right.

Plugin Author YARPP
(@jeffparker)

1 year, 4 months ago

Hello everyone,

We have been tracking progress of this bug over at this thread – https://wordpress.org/support/topic/update-713/

UPDATE: New version with patch is live! Please update to version 5.30.11 or newer.

https://wordpress.org/plugins/yet-another-related-posts-plugin/#developers

We have notified Patchstack (reporter of bug). They should mark this as resolved soon, which then should make its way to Wordfence and others.

In case you were not following along the other thread, there was zero risk as the “bug” was in a section of code that hasn’t been referenced or called for many years (dead code).

Thank you so much for your patience through this. Please update ASAP.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Vulnerability patch?’ is closed to new replies.