5 Comments

  1. Daniel James

    This is a real problem with vulnerability reporting and how plugin authors handle things. The changelog in its current state says;

    Escape backup labels. (Thanks to Connum for reporting)

    It doesn’t actually state that you must update to 7.0 because of a security issue, many will be blissfully unaware of the potential dangers.

    Plugin authors need to stop worrying about ‘saving face’ and tell people they messed up.

    I’ve had plugins with security issues in them and it is a balancing act, you do have to be mindful of attracting exploits against older versions but sometimes you need label these issues for what they are.

    Report

    • Jeff Chandler

      Which is why I said the labelling was unfortunate as I think most users now adays will update quicker if the changlog notes a security fix. On the one hand, you don’t want to notify the world that an exploit exists. On the other, plenty of other people and organizations will or are already doing so, so the responsibility is on the plugin author to educate and inform their users.

      Report

  2. Ed

    Note that users will actually want to avoid using version 7.0 of this plugin, as it contains another (fairly serious) security vulnerability. Version 7.1 was just released as a fix for this. (Of course, it is generally best for users to keep all plugins updated to the latest version at all times.)

    Report

    • Jeff Chandler

      Thanks for the update, I’ve added this information to the bottom of the post. It has been a rough few weeks for this plugin.

      Report

    • Plugin Vulnerabilites

      While looking into the details of the vulnerability you discovered we found a couple of very minor vulnerabilities still present in version 7.1.

      The security design of the plugin is out of line with how plugins are usually secured and might be unnecessarily less secure, so people may want to consider other plugins.

      Report

Comments are closed.

%d bloggers like this: