Notified of potential vulnerability

  • This morning I was emailed?a Plugin Vulnerability Notification about Pods?by WP Engine Security:
    At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified your site(s), southridingpro srsandbox, is (are) utilizing a vulnerable version of the Meta Tag Manager plugin.

    At this time, we are not seeing that the plugin author has released an update or patch for this vulnerability.?

    WP Engine summary of the vulnerability: Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.?

    Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: ?
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999
    https://wpscan.com/vulnerability/58ab5352-d783-431a-b0a5-382381cc13fd

    We encourage you to assess the risk of continuing to use this plugin until a patch is released.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Much like Pods, this plugin got swept up incorrectly. It appears that if a plugin ever used the Freemius SDK then they are marked as vulnerable even if Freemius SDK was later removed.

    This plugin removed Freemius SDK in 2.1 back in August 2020.

    WPScan is going to have a lot of upset plugin authors on their hands ??

    Thread Starter lreyes13

    (@lreyes13)

    Hello,

    I received an email below, and I checked the list of cleared plugins and Meta Tag Manager is not in the list, is it under a different name?

    https://wpscan.com/vulnerability/9f01090f-df5b-4d9e-bc4d-fac9150fdfe6

    You may have received a recent vulnerability notification about plugins affected by a Freemius SDK vulnerability ( https://wpscan.com/vulnerability/9f01090f-df5b-4d9e-bc4d-fac9150fdfe6 ).

    It is now clear that at least some of those plugins (e.g., WP Activity Log, any version of Pods 2.8+) are not vulnerable and we have notified WPScan of the discrepancies in their data, which we use to provide this service.

    They have acknowledged the issue and are updating the original page to be more accurate – please check that page (https://wpscan.com/vulnerability/9f01090f-df5b-4d9e-bc4d-fac9150fdfe6) to see if plugins you’re running may be affected.

    We apologize for the confusion and will work with WPScan to avoid similar issues going forward.

    Please make sure to run a backup of your database before making any changes. You can learn how to do in this article: https://wpengine.com/support/restore/.

    Plugin Author Marcus

    (@msykes)

    Hello, this is a false positive, or posted in the wrong forum. Note the email pasted mentions ‘Pods’ and not ‘Meta Tag Manager’. Additionally, the vulnerability in question relates to the use of the “Freemius SDK for WordPress”, we do not use this.

    @sc0ttkclark thanks for chiming in!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Notified of potential vulnerability’ is closed to new replies.

Tags