WPEngine Security Alert

  • Resolved martindesilets

    (@martindesilets)


    4 years, 10 months ago

    I received a notice about 1.9.2 being a security risk and that I should update to version 1.10. Is there a reason this is a manual upgrade? All of my sites running 1.9.2 show no option for automatic upgrade.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author TobiasBg

    (@tobiasbg)

    Hi,

    thanks for your post, and sorry for the trouble.

    This is actually a false report. There is no immediate security issue in TablePress 1.9.2. For some more discussion, please see https://www.ads-software.com/support/topic/why-such-a-high-wp-version-requirement/

    Also, 1.10 is not a manual update. You are probably just not seeing it because your sites have not been updated to WordPress 5.3, or the server is not using a recent version of PHP (at least PHP 5.6.20).

    From a security perspective, you can continue to use TablePress 1.9.2. (Of course, updating to the latest version is always recommended.)

    Regards,
    Tobias

    Thanks for the fast response @tobiasbg!

    I was just about to post the same question after receiving the WP Engine notification, I am also on an older WP version while waiting for all plugins to be compatible with 5.3. After reviewing the support thread you linked I understand this is truly low risk. With that said I still hope you will patch for this in a future release because it is always good to air on the side of caution. TablePress is such a great plugin – it would be a shame if this was exploited and people who don’t understand all the details associated it with TablePress and not text editors and csv files in general.

    Thanks you for the great plugin!
    Lindsay

    Plugin Author TobiasBg

    (@tobiasbg)

    Hi,

    @mtlindsayroseryan:

    Good to hear that this was helpful for you as well!

    In my opinion, there’s nothing here to patch in TablePress. The plugin is producing valid and legal CSV files that follow the specifications. It’s Excel (and possibly other programs) that just open the files without the necessary precautions. If I would change the CSV output in TablePress, the resulting CSV files would instead not be compatible with many other programs and workflows anymore. In addition, the risk would not really be mitigated. Some evil guy could simply create a malicious text file in any text editor and send it to his target victim by email, or have it downloaded from some link. Those are the dangerous cases, and they should that Excel, etc. need to fix this.

    Best wishes,
    Tobias

    I understand @tobiasbg – I know this is an issue with csv files in general and that the last line of defense (the programs used to open the files) should be taking precautions to protect their users.

    I meant no offense and was just sharing my opinion because I really like TablePress.

    Thanks again for the great plugin and all the work you put into maintaining it!
    Lindsay

    Plugin Author TobiasBg

    (@tobiasbg)

    Hi Lindsay,

    no worries, I totally understand! ?? I just wanted to explain it here in more detail, also for others who might see this.

    Best wishes,
    Tobias

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WPEngine Security Alert’ is closed to new replies.