Hacking risk

  • Resolved jess888

    (@jess888)


    2 years, 3 months ago

    Just received this notice from WP Engine suggesting that BSR is vulnerable, fyi:

    “At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified your site(s), wisdomword wisdomword, is (are) utilizing a vulnerable version of the Better Search Replace plugin.

    WP Engine summary of the vulnerability: The plugin contains a vulnerability wherein an authenticated user could inject SQL statements into WordPress. SQL injection could allow an attacker to gain control of your site.

    Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2593
    https://wpscan.com/vulnerability/229a065e-1062-44d4-818d-29aa3b6b6d41

    Please make sure to run a backup of your database before making any changes. You can learn how to do this in this article: https://wpengine.com/support/restore/ .

    Would you like to avoid doing these updates manually in the future? Add the Smart Plugin Manager to your plan today!

    Finally, feel free to reach out to our Support team at any time if you have any questions!

    Thanks
    -WP Engine Security Team”

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Delicious Brains

    (@deliciousbrains)

    Hi, the message you received is an automated notice that goes out to affected WP Engine customers. In this case, it relates to the most recent security update for Better Search Replace 1.4.1, which was released on 07/25/2022 with the security fix mentioned in the changelog. -KH

    So are you saying that the security issue mentioned by WPEngine is present in the latest security update of the plugin (1.4.1) or that the issue was solved with the latest security update?

    Plugin Author Delicious Brains

    (@deliciousbrains)

    The issue was fixed and released in version 1.4.1 as noted in WPScan. We worked directly with the researcher who reported the vulnerability and our security team at WP Engine to ensure it was resolved. -KH

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacking risk’ is closed to new replies.