• Resolved rlwp

    (@rlwp)


    Jetpack Protect correctly says versions <= 2.3.28 of GigPress are affected by a vulnerability, but gives me an alert despite version 2.3.29 being installed.

    GigPress (2.3.29)

    GigPress <= 2.3.28 – Subscriber+ SQLi
    What is the problem?
    The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks

    GigPress 2.3.29 was released on github by the original plugin authors to address this vulnerability.

    • This topic was modified 11 months, 2 weeks ago by rlwp.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support lastsplash (a11n)

    (@lastsplash)

    Hi @rlwp

    I downloaded the version of GigPress that you linked (v2.3.29) and Jetpack Protect did not report the vulnerability that you shared.

    Can you provide a screenshot showing the warning? Did you remove 2.3.28 before installing 2.3.29?

    Thread Starter rlwp

    (@rlwp)

    Screenshots above. I don’t remember if I uninstalled the vulnerable version before upgrading Gigpress; it was a while ago and I only recently started using Jetpack.

    Hi @rlwp

    I can confirm that version 2.3.28 is indeed vulnerable to the vulnerability you have shown in the screenshot, we were not aware of a fix in the 2.3.29 on Github since the plugin is now closed on WP.org.

    Are you in contact with the developers since you discovered the fix?

    Thread Starter rlwp

    (@rlwp)

    The developers published the fixed version (2.3.29) on GitHub precisely to access that security flaw. So I downloaded and installed it. I haven’t contacted them.

    • This reply was modified 10 months, 3 weeks ago by rlwp.
    Plugin Support lastsplash (a11n)

    (@lastsplash)

    Hi @rlwp

    We don’t monitor GitHub for new versions. The data used by Jetpack Protect is based on our WPScan service. You can see a report for GigPress there:

    I’d recommend reaching out to the developers of the plugin to get confirmation that they have addressed the issues:

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘False positive (Gigpress 2.3.29)’ is closed to new replies.