Vulnerability patch?

There is no known vulnerability at the moment. Can you please elaborate?

Solid Security plugin (former iThemes Security) keeps sending this alert since a couple of days and I thought you got the same – although it doesn’t seem very important:

https://patchstack.com/database/vulnerability/yet-another-related-posts-plugin/wordpress-yet-another-related-posts-plugin-yarpp-plugin-5-30-10-broken-access-control-vulnerability?_a_id=431

Yes, please patch.

I think normally they try to send you some sort of notification that they’ve found a vulnerability, but given what I saw on the Patchstack site, that notification would likely appear to be spam if you didn’t know what it was.

They want you to sign up for their service as a plugin developer/owner and claim ownership of the plugin. Then they’ll provide the details of the vulnerability and, once you’ve fixed it, verify the vulnerability is gone and mark it as fixed.

They pay people to find vulnerabilities. They verify the vulnerabilities and then publish them. And the Solid Security plugin (which I also use) subscribes to their service.

Sounds like it’s an actual vulnerability though.

Good luck!

Please Fix this issue

• This reply was modified 2 months, 2 weeks ago by muzammilijazp. Reason: upload image

Solid WP lists this Issue too in their latest vulnerability report, and recommends to deactivate the plugin:
https://solidwp.com/blog/wordpress-vulnerability-report-september-4-2024

However, CVE does not provide any information about the provided CVE ID (yet?):
https://www.cve.org/CVERecord?id=CVE-2024-43919

@jeffparker Can you please clarify what’s the situation here? Is there a real threat? And is a patch being worked on?

Wordfence is now reporting this as well CVE: CVE-2024-43919 There’s currently no info there though.

More: YARPP <= 5.30.10 – Missing Authorization (wordfence.com)

Same problem here.

The same problem here, please patch

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yet-another-related-posts-plugin/yarpp-53010-missing-authorization

Same here. A patch would be appreciated. Thanks!

We have WP Defender, it’s reporting this:

—

CVSS Score 5.3

WordPress Yet Another Related Posts Plugin (YARPP) plugin <= 5.30.10 – Broken Access Control vulnerability

-Vulnerability type: Broken Access Control
-No Update Available

—

A fix would be greatly appreciated!

• This reply was modified 2 months, 2 weeks ago by kevinbrands.
• This reply was modified 2 months, 2 weeks ago by kevinbrands.
• This reply was modified 2 months, 2 weeks ago by kevinbrands.

Still no patch? ??

another request to patch the current vulnerability, I received a message from my host last week saying it needed to be deactivated because no patch was available.

Same here

• This reply was modified 2 months, 1 week ago by victormontes. Reason: bad image

I also have a security alert from Wordfence.
Does the team plan to fix this ?
No news after a whole week of reports, which isn’t very encouraging.