Critical Vulnerability – arbitrary file upload

As of Dec 4, 2023, my site still shows 1.0.8 as the latest version and WordFence still shows this critical security threat as not yet fixed. Until it is, I’ve uninstalled the plugin.

This critical vulnerability has me worried. It keeps coming up in my Wordfence scans. I’m thinking about deactivating and deleting this plugin for now (at least until it’s patched). Question (and I feel stupid for asking): If I delete this plugin, will it affect the child theme that I currently have enabled on my website? I feel like once the child theme is created and active it’s no longer tied to the plugin but I’m not 100% sure. Ugh.. any thoughts on that?

Thanks!!

@ptday64 and @neville The change log states that the latest update 1.0.9 has fixed the issue.

• Plugin Name: WP Child Theme Generator
• Current Plugin Version: 1.0.9
• Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “WP Child Theme Generator” until a patched version is available. Get more information.(opens in new tab)
• Repository URL: https://www.ads-software.com/plugins/wp-child-theme-generator(opens in new tab)
• Vulnerability Information: https://www.wordfence.com/threat-intel/vulnerabilities/id/49fcd2cb-d880-4152-a736-33fd90f07083?source=plugin(opens in new tab)
• Vulnerability Severity: 9.1/10.0 (Critical)

Wow, I was about to use this plugin, thanks guys for posting this, it seems plugin developer is not responsive to this issue and at minimum has not come into the thread with feedback to mitigate the concern, that is a red flag for me.

Hello everyone,

We apologize for the delay in responding and any inconvenience this may have caused. The critical vulnerability that allows arbitrary file uploads in the WP Child Theme Generator plugin has been fixed in the latest version. We encourage all users to update to this version to secure their sites.

Thank you for your understanding, and we appreciate your patience.