Critical vulnerability found by Wordfence

  • Resolved maxbelloni

    (@maxbelloni)


    2 years, 4 months ago

    Hello,

    Just got a message by Wordfence which alerts about AdRotate vulnerability (never got a message like this in the past)

    Link to the capture screen of the message: https://imgur.com/a/hIG4DmQ

    Any idea?

    Regards

    • This topic was modified 2 years, 4 months ago by maxbelloni.
    • This topic was modified 2 years, 4 months ago by maxbelloni.
Viewing 10 replies - 1 through 10 (of 10 total)

  • I received the same message. What’s being done about this dev team? The dev team needs to give us an update on this soon! Our websites are at risk and we need to know if we should delete this software to maintain security on our websites!

    Plugin Author Arnan de Gans

    (@adegans)

    It’s a false report as far as I can tell – https://www.ads-software.com/support/topic/multiple-cross-site-request-forgery-csrf-vulnerabilities-2/

    Blogvault flagging it as well.

    AdRotate Vulnerability
Category:PLUGIN

Versions-Affected:<= 5.9

Type:Cross Site Request Forgery

Severity:MEDIUM

Description:Multiple Cross-Site Request Forgery (CSRF) vulnerabilities leading to resetting some of the maintenance settings (Reset tasks, Disable the third party, Update Database) were discovered by Muhammad Daffa (Patchstack Alliance) in the WordPress AdRotate Banner Manager plugin (versions <= 5.9).
    Plugin Author Arnan de Gans

    (@adegans)

    See my earlier reply.

    Plugin Author Arnan de Gans

    (@adegans)

    Addressed in version 5.9.1 – update now.

    wordfence still saying it is not patched yet. Why?

    Plugin Author Arnan de Gans

    (@adegans)

    Dunno, I don’t work for them.

    Arnan,

    No doubt you have created a great plugin and we are indebted by your free services however your general behavior is not good.

    When someone reported an issue. Your first reaction was it is a false report. before publishing such bugs the security expert do report it to plugin author.

    You later said that issue is fixed in later version. So you accepted at later stage that there was an issue.

    Now I am just asking why it is not showing as fixed on plugin security vulnerability site and your answer is not up to the mark.

    • This reply was modified 2 years, 2 months ago by Fropky.
    Plugin Author Arnan de Gans

    (@adegans)

    It was a false report indeed and I only made an edit because they made their report and everyone else believed it to be an actual vulnerability. While it was not.

    If you know my code better or the risks of clicking a button that requires admin access to work that then does nothing can can be hacked, leaked or stolen, please enlighten me…

    As far as I know the report from whoever found it has been marked fixed.
    So if WordFence didn’t update their stuff that’s outside my control.

    Plugin Author Arnan de Gans

    (@adegans)

    I’ve told WordFence to update their database.
    Hopefully they’ll fix it soon ??

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Critical vulnerability found by Wordfence’ is closed to new replies.