False positives for PixelYourSite (free) plugin

  • Resolved Adam

    (@adamlachut)


    1 year, 4 months ago

    Hi,

    The PixelYourSite plugin shares the same slug for both its paid and free versions, yet these versions follow different numbering conventions.

    Both versions have a known vulnerability (CVE-2023-2584): it affects the free version in versions <=9.3.6 and the paid version in versions <=9.6.1.

    Regrettably, in the WPScan database, this vulnerability is described as being present in all versions of PixelYourSite <=9.6.1. While this is true for the Pro version, it is not accurate for the free versions. As a result, the current version of PixelYourSite (free), which is 9.3.8.1, is incorrectly marked by Jetpack Protect as vulnerable.
    Are you able to fix this?

    Best Regards

    Adam

Viewing 1 replies (of 1 total)

  • Hello Adam!

    I can definitely understand the concern and frustration you are experiencing with this. Unfortunately, using the same slug for multiple plugins (free and paid) is not advisable – especially so when they use separate versioning. WPScan does not yet support this sort of a setup as the system has no reasonable way to discern or report on the two independently.

    Once the paid plugin has been resolved and the version is bumped, the plugin fix will be reviewed and the report updated. However, as you’ve noted the free version is lower than the paid, so those versions will still have the vulnerability reported.

    Jared
    Code Wrangler @ Automattic

Viewing 1 replies (of 1 total)
  • The topic ‘False positives for PixelYourSite (free) plugin’ is closed to new replies.