False alert since update

The same happens for “WP Media Cleaner”: I have version 2.6.0 installed but getting alert for version 2.2.6

Hey, John!

The update was based on one of my suggestions.
I checked both of your plugins and the vulnerabilities listed are not marked as fixed in the WPScan database. So as far as the plugin is concerned, it works as expected. They are not false positives because both plugins are listed as vulnerable.

SEO Redirection is fairly popular and the best course of action is to open a ticket on their support forum and ask if the vulnerability was fixed. If it was, they can request to have it marked as fixed. If it wasn’t, you should switch to another plugin. (SEO Redirection has 2 vulnerabilities listed in WPScan, in 2.2 and 2.8 and only the second one is marked as fixed)

WP Media Cleaner on the other hand, is definitely vulnerable. It was even removed from the WordPress Repository to prevent other people from using it.

Best regards,
Eusebiu Oprinoiu

BTW, the version you see is not the version of your plugin, it is the version in which the vulnerability was detected. (And it only appears if your plugin does not contain a fix for it)

OK, thanks for this, well noted.
Will follow your advice then.

The problem here is that we keep receiving email alerts for old vulnerabilities that were probably cleaned but not marked as fixed at the DB.

Is there a way to mark some vulnerabilities as “seen” and stop receiving email alerts every single day?

Hey, John!

WPScan is quite consistent at updating the vulnerability status even for the most obscure plugins, so if something is listed as not fixed, it probably isn’t. Don’t presume a plugin is clean just because a vulnerability is old.

I understand, however, in edge-case scenarios you might still want to keep a vulnerable plugin. In cases like that, an option to ignore certain vulnerabilities can be helpful. Perhaps Edir will be kind enough to implement such a feature in a future version.

Yes, that’s right, such option would be most welcome!

Hi guys, I’ll check that soon and look at the best way to do ignore such case. Probably I’ll have to create an ignore button for each vulnerability to hide it on emails and still notify new ones not fixed too. If you have ideas, write here.

Yes, that would be great!
Another option would be to specify the amount of reminders a user wants to receive?
One single one for each new vulnerability found or repeat with reminders every week/month/year…

I don’t think vulnerabilities should be ignored / hidden entirely. They should all be listed on the plugin dashboard.
Postponing the emails is not ideal either. People should be notified as soon as a new vulnerability is detected.
Since each vulnerability has a unique ID, you could dynamically build a list of checkboxes with al the vulnerabilities detected. Then, when the cron job runs, if there is at least one checkbox empty, send the email.

Here’s an example of the problem I’m talking about:
https://www.ads-software.com/support/topic/vulnerabilitiy-alert/

Plugin or theme authors make updates that include vulnerability fixes but don’t bother to mark them as fixed.

In such cases it’s useful to be able to stop receiving alerts.

Hi John. I’ll check that this weekend, right now I’m very busy on a project.

No problem, nothing urgent for me, this was just FYI – nothing more.
Thanks!

Ok guys, I built it this Sunday, could you test it for me before I publish? Just download and drag the folder to your WP site.

https://github.com/edirpedro/vulnerability-alerts/archive/master.zip

Is this an update of the previous version or a new package?

As the name is different, I tried to install it as a new package (and deactivated the previous one) but it didn’t work.

I got this:

Unpacking the package…

Installing the plugin…

The package could not be installed. No valid plugins were found.

Plugin install failed.