Jili slot rtp live today.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved johnamp
(@johnamp)

1 year, 8 months ago

I just installed the plugin and the plesk vulnerability check gave use this notice:

WordPress Instant Images <= 5.2.0.1 – Auth. Server-Side Request Forgery (SSRF) vulnerability

I see that Wordfence Security plugin says the same thing.

Is this something we should be worrying about? Apparently it has been vulnerable since v5?

Viewing 15 replies - 1 through 15 (of 18 total)

1 2 →

Plugin Author Darren Cooney
(@dcooney)

1 year, 8 months ago

@johnamp Should be fixed in the latest version, however, I’m waiting for the security researcher to get to me to confirm from PatchStack.

WooCommerce Premium
(@besselink)

1 year, 8 months ago

Same Problem here with version 5.2.0.1. Should be fixed in the latest version. But latest public version is still 5.2.0.1.

Plugin Author Darren Cooney
(@dcooney)

1 year, 8 months ago

Not sure what you mean @besselink

WooCommerce Premium
(@besselink)

1 year, 8 months ago

There is now public version 5.2.0.2 available. But the Plugin is in Plesk and Patchstack still vulnerable.

Plugin Author Darren Cooney
(@dcooney)

1 year, 8 months ago

Is there anything I can do here?

WooCommerce Premium
(@besselink)

1 year, 8 months ago

waiting for response from patchstack, please

Thread Starter johnamp
(@johnamp)

1 year, 8 months ago

Thanks for the quick response.

WooCommerce Premium
(@besselink)

1 year, 8 months ago

Version 5.2.0.2 is vulnerable: https://patchstack.com/database/vulnerability/instant-images/wordpress-instant-images-5-1-0-1-auth-server-side-request-forgery-ssrf-vulnerability

Fix it, please.
Plugin Author Darren Cooney
(@dcooney)

1 year, 8 months ago
@besselink trust me I’d like to. Patchstack stopped responding to my email enquiries so I don’t know what else needs to be fixed.

it says in the report they have contacted me but it is false.
- This reply was modified 1 year, 8 months ago by Darren Cooney.
WooCommerce Premium
(@besselink)

1 year, 8 months ago

Hmmm…WPScan is not finding any vulnerabilities.

WooCommerce Premium
(@besselink)

1 year, 8 months ago

Maybe this can help you: https://shieldfy.io/security-wiki/server-side-request-forgery/server-side-request-forgery/

WooCommerce Premium
(@besselink)

1 year, 8 months ago

In Plesk the admin can set following inside the panel.ini to turn off vulnerability scan:

[ext-wp-toolkit]
vulnerabilityFeature = false
Christina Hills
(@christinahills)

1 year, 8 months ago
I love this plugin and teach it to all my WordPress students.

Here is what WPengine told me that it’s still a problem

https://wpscan.com/vulnerability/bb23bf9c-b0f2-441f-819c-aece423d61a1

I would love to see this cleared up.

thanks for making an awesome plugin!
- This reply was modified 1 year, 8 months ago by Christina Hills. Reason: I forgot to mention something
Plugin Author Darren Cooney
(@dcooney)

1 year, 8 months ago

This is getting interesting… WP Engine just sent around an automated email about the Vulnerability.

At this time, we are not seeing that the plugin author has released an update or patch for this vulnerability. WP Engine has attempted to reach out to the plugin author to request the timing of a patch. We will report back to you if/when we receive a timeframe for when the author expects to release one.

They absolutely have not contacted me. And PatchStack won’t respond either.

Plugin Author Darren Cooney
(@dcooney)

1 year, 8 months ago

@besselink Update: PatchStack responded… they are going to look into it and get back to me asap.

Viewing 15 replies - 1 through 15 (of 18 total)

1 2 →

The topic ‘Instant Images <= 5.2- Auth. Server-Side Request Forgery (SSRF) vulnerability’ is closed to new replies.