1. After every payment we are receiving error from Paypal that “HTTP/2 stream 1 was not closed cleanly” – I ran more detailed research on it and found that it’s triggered during
   $agreement->execute($token, $apiContext);
   because of that it doesn’t save properly information about the payment
2. What is also important, for some reason if such error is triggered it shows to the user entire response from Paypal – so it contains app key and secret! This is unacceptable as this is a very major security breach! I have no idea who though that just throwing var_dump in such place is a good idea? For what you have log files?!
3. logs aren’t working properly – so none of these communicates above are saved in debug logs – I’m aware of debug mode – it’s just not working.
4. We aren’t able to set scheduled subcription to be unlimitted – we can only set cycles from 1 to 100
5. Another major issuer – for some reason it’s set to have a subscription started ~1h after payment and at the same time it has a setup fee configured – so it means that user has to paid twice! Did you even test it?

Also – before I wrote that I made sure that all plugins are updated. I ran tests on it on both php 7.4 and 8.1, in both cases issues appeared.
List of contact form related active plugins on our site:

1. Accept PayPal Payments using Contact Form 7 Pro
2. Conditional Fields for Contact Form 7
3. Contact Form 7

Before I started debugging it we had activated at the same time plugins “Accept PayPal Payments using Contact Form 7” and “Accept PayPal Payments using Contact Form 7 Pro”, but when I updated them to the newest version, my wordpress admin panel started crashing – I had to manually debug it and it looks like these plugins have the same function names and because of that fatal error was triggered. After I deactivated free plugin, it started working fine.

That plugin requires a lot of work before it will start normally working, how you can take money for it?
Start from fixing the issue with “HTTP/2 stream 1 was not closed cleanly” as that is the most critical of these.

My security tool popping up with an notification for a security breach and vulnerability in all versions of Gutenberg Plugin. my current version is: 17.0.2.

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE: CVE-2022-33994

CVSS: 5.4 (Medium)

When comes the patch version out for all version?

Thanks in advance,

Bas

Somehow, WP Staging revealed my secret wp-login site and the BomboraBot found it! I have inspected the pages on the staging site, and the only way to find any reference to the secret wp-login URL is if someone was successfully logged into the staging site’s admin and inspected the header information, which only then shows the hidden login URL.

Please let me know if there is a security issue with the use of the WP Staging plugin to create a cloned staging site. If I can’t determine where the breach occurred, then I’ll have to uninstall the plugin and change the alternative wp-login URL for my other sites.

https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin/?utm_medium=email&_hsmi=221702271&_hsenc=p2ANqtz-97c08KbOnL5Dy-qhOPE-uBaAvkrz6T3A–JUjmxSVGMPyTyN6jExO0CKYm1cVQPBIEyMxtlHSbkLlb9f-a347qnSk0bA&utm_content=221702271&utm_source=hs_email

I was just about to pay for the premium version of this plugin today, but instead, I had to deactivate and delete it immediately, which likely is hurting my SEO.

In a recent thread, the author of this plugin said they’d be releasing updates. I hope they do this VERY soon as a lot of people are currently at serious risk who run this plugin.

Once it’s fixed, and if it starts getting updated more by the author, I’ll definitely consider reinstalling and paying for premium as the plugin was great.

My team had already built over 1000 internal links using it, so deactivating it will surely have some SEO repercussions, but it’s better than having my WP-Config file wiped out completely.

I hope the author acknowledges this before people’s livelihoods are put more at risk.

Now the problem:
When someone uses the temporary login link for site002 for example they can also see all the other sites when changing the URL site name.
This is of course a security breach!

Is there something you can do about?

Thank you for reply!

The problem was solved yesterday with a restoration of the web space via OVH 3 days before. Today the site has been compromised again, the website is displayed abnormally and I cannot access the back office. The login page has changed and reads “the site is unreachable” this will relate to ch.trainresistor.cc. We also did a restoration of the site a week before which did not change anything.

Does anyone have any idea how to fix my problem, this is an advent calendar website where a multitude of users visit every day.

Thanks in advance

So it means that since that version, a malware is sending emails from my domain.
Could you please check the security of your plugin’s code and do your utmost to fix this apparent breach in your next update.
Thank you foor informing me ASAP
CGC

Switching off the theme fixes the issues (but breaks the website)

This a major security breach

First of all congratulations for giving best form plugin.

Well, I am testing forminator plugin and I noticed,

1) If I attach the file to the form and submit it, the Attachment is getting stored in wp-upload folder which is keep consuming more and more space.

2) It is also adding values in DB which is increasing space of DB.
3) If you open the Attachment from email it will display complete url of storage such as www.example.com/wp-content/uploads/2018-19/08/attachment.pdf which can create Vulnerability.

Can you please provide the best solution for About Issues?