• Resolved persist9

    (@persist9)


    I find the WordPress plugin insert pages very useful for presenting an excerpt of one post in another post.

    I ran a scan using the plugin WordFence and was most disappointed when WordFence stated:

    The Plugin “Insert Pages” has been removed from www.ads-software.com.
    Plugin Name: Insert Pages
    Plugin Website: https://github.com/uhm-coe/insert-pages
    Current Plugin Version: 3.2.3
    Severity: Critical
    Status New
    It may have compatibility problems with the current version of WordPress or unknown security issues.

    Is this correct?
    Will this situation be remedied?
    If not what replacement do people suggest?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Insert Page is one of the most useful plugins among those I use.
    I’m glad it’s still here, and you can download, update it (I double-checked after reading your post)

    I see 3.2.4 of Insert Pages has been released 2 days ago, maybe that lead to a error on Wordfence?

    Cheers

    btw, the 3.2.4 version states that it is a security fix!

    Many thx to the developers to be so proactive!

    The WordPress > Plugins> Insert Pages has now reappeared on the WordPress site. I have updated to version 3.2.4 and the WordFence scan Error has now gone.

    https://www.ads-software.com/plugins/insert-pages/

    The issue @persist9 was having should now be resolved once 3.2.4 update is applied.

    Plugin Author Paul Ryan

    (@figureone)

    Yep, a vulnerability report was submitted. Basically, a nefarious Editor (or above) on your site could specify a custom template in the Insert Pages shortcode that was outside of the WordPress root (directory traversal attack). Combined with the ability to insert custom PHP code into the web server logs by specifying a fake User Agent string, the attacker could execute arbitrary code by pointing the custom template to the log file.

    The vulnerability is mitigated by the fact that the attacker would already need an account on your WordPress site with Editor privileges or higher.

    The vulnerability was fixed in 3.2.4, and I’ll be releasing another update soon because the fix was a bit too restrictive and messed with legitimate custom template uses (if the custom templates are in a child theme instead of the parent theme).

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘“Insert Pages” has been removed from www.ads-software.com’ is closed to new replies.