Geely GX3 Pro ground clearance.Claim Your Free 999 Pesos Bonus Today

Resolved rlwp
(@rlwp)

11 months, 2 weeks ago
Jetpack Protect correctly says versions <= 2.3.28 of GigPress are affected by a vulnerability, but gives me an alert despite version 2.3.29 being installed.

GigPress (2.3.29)

GigPress <= 2.3.28 – Subscriber+ SQLi
What is the problem?
The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks

GigPress 2.3.29 was released on github by the original plugin authors to address this vulnerability.
- This topic was modified 11 months, 2 weeks ago by rlwp.

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Support lastsplash (a11n)
(@lastsplash)

11 months ago

Hi @rlwp –

I downloaded the version of GigPress that you linked (v2.3.29) and Jetpack Protect did not report the vulnerability that you shared.

Can you provide a screenshot showing the warning? Did you remove 2.3.28 before installing 2.3.29?

Thread Starter rlwp
(@rlwp)

11 months ago

Screenshots above. I don’t remember if I uninstalled the vulnerable version before upgrading Gigpress; it was a while ago and I only recently started using Jetpack.

Mehdi Benchalal
(@muffinpeace)

10 months, 2 weeks ago

Hi @rlwp

I can confirm that version 2.3.28 is indeed vulnerable to the vulnerability you have shown in the screenshot, we were not aware of a fix in the 2.3.29 on Github since the plugin is now closed on WP.org.

Are you in contact with the developers since you discovered the fix?
Thread Starter rlwp
(@rlwp)

10 months, 2 weeks ago
The developers published the fixed version (2.3.29) on GitHub precisely to access that security flaw. So I downloaded and installed it. I haven’t contacted them.
- This reply was modified 10 months, 2 weeks ago by rlwp.
Plugin Support lastsplash (a11n)
(@lastsplash)

10 months, 1 week ago
Hi @rlwp –

We don’t monitor GitHub for new versions. The data used by Jetpack Protect is based on our WPScan service. You can see a report for GigPress there:
- https://wpscan.com/plugin/gigpress/
I’d recommend reaching out to the developers of the plugin to get confirmation that they have addressed the issues:
- https://theeventscalendar.com/

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘False positive (Gigpress 2.3.29)’ is closed to new replies.

Tags