CRITICAL Uncaught TypeError in Crypto.php(148)

Are you planing to fix critical issues? Your plugin is not usable as it is right now.

I can confirm this issue on one of my client’s websites, after having updated to WooCommerce 5.3.0.

Yesterday I’ve tried to uninstall and then re-install the plugin and issue is gone as well as all the license keys ?? which is kind of shocking.

Hello @oneteamsoftware and @mezzomedia

I will need some more information on how this happened, it sounds to me like you’ve deleted the cryptographic secrets:

https://www.licensemanager.at/docs/handbook/setup/cryptographic-secrets

These files are used to encrypt and decrypt the license keys, if they’re gone then all the encrypted license keys in your database can never be decrypted again. Have you maybe moved these files around? Do you have a backup?

Nothing has been moved, it has happened after plugin update.
What can wipe the keys? How are they stored and why would they be deleted on plugin update?

@oneteamsoftware

Well, the keys are stored in the wp-content/uploads/lmfwc-files folder, perhaps a manual cleanup or a file/database migration?

If that’s not the case, then I really don’t know. If you have a staging environment I would be willing to take a look myself.

It has happened in local dev environment after mass plugins update.

The sequence of events is about like that:
– Cloned production to local maybe around 1 year ago (everything was fine, all licenses worked)
– Updated various plugins from time to time (all good)
– Then on a version change of lmfwc we have decided to verify that everything will continue to work and updated all the plugins including lmfwc

At this point it stopped working.

I’m wondering if plugin might be trying to look for the key and if it does not see one then it will regenerate it or anything else might conditionally change these files?

At the point of my comment (from 3 weeks ago), I have tried to uninstall plugin and reinstall it which lead to all the licenses to completely disappear. But new ones are working fine.

So the main concern points for me are:
1. Possible vulnerability of the way how secret keys are stored
2. Database of licenses might be wiped out on uninstall / re-install

In relation to (1) can secret keys be store with update_option instead ?

@oneteamsoftware

Did you upgrade from a very old version (1.x)? If so, then that might be the issue. The old 1.x version had the cryptographic secrets stored in the plugin folder, which was a major mistake. The plugin folder gets deleted on every plugin update, and this might have happened to you.

The new versions store the files in the wp-content/uploads/lmfwc-files folder, which is not touched when any plugin is updated.

I would highly recommend storing the crpytographic secret and key in a constant inside the wp-config.php. This is described on the website, here’s the link:

https://www.licensemanager.at/docs/handbook/setup/security

Let me know if you need further help.