Is “Auto ThickBox Plus” safe?

  • Resolved mike73

    (@mike73)


    7 years, 9 months ago

    Hallo,

    … your new scan result (added in version 6.3.11) is a good idea!
    “The Plugin “xyz” has been removed from www.ads-software.com”

    But I’ve a question/problem with one error message for the plugin “Auto ThickBox Plus”!
    I use the “Auto ThickBox Plus” version 1.9 and this guys here say:
    https://jetpack.com/features/security/library/auto-thickbox-plus-plugin/

    Insecure versions: Up To 1.9
    Known since: 2015-12-09 01:28:23

    “We have rated auto-thickbox-plus as Good (current version safe) which means that we have found vulnerabilities in older versions. We recommend that you only use the latest version of auto-thickbox-plus.”

    Means: The version 1.9 is safe!
    Only the older version are unsafe or has unpatched security issues. Right!?!

    ##########################
    But you/WordFence say:
    ——————————–
    The Plugin “Auto ThickBox Plus” has been removed from www.ads-software.com.
    It has unpatched security issues and may have compatibility problems with the current version of WordPres.
    ——————————–
    ##########################

    Only based on the one fact, that this plugin “Auto ThickBox Plus” has been removed from www.ads-software.com. OK, it is now 2 years without support or update.
    But has this version 1.9, really an unpatched security issues?
    Or only the older versions?!
    Because this plugin is very good and helpful!

    Can you make a security check for this plugin again?
    Or how can I make a security check for this plugin?
    Exists an “how to”?

    Thanks for your quickly help/answer!

    G, Mike

Viewing 3 replies - 1 through 3 (of 3 total)

  • There is nothing worse than using an old orphaned plugin. But for many of us this is indeed a struggle, as we build a nice website based on perhaps a small but essential stack of plugins, then a year or two later, necessary plugin basically ceases to exist! This is the main security flaw of WordPress and they do not want to own up to it, so we’re left with trying to figure out how to deal with it ourselves. My approach, constantly spend hours trying to work around orphaned plugins, and eventually delete them. No other approach is really valid, other than hiring someone to re-write and harden the plugin just for you.

    Beyond above, I’ve found it worthwhile to be very skeptical of any plugin, and I keep my stack to a maximum of about 12.

    MTN

    Hi Mike,
    I checked “auto-thickbox-plus” plugin code (version 1.9) and I can tell that this version has the vulnerable code reported on “WPScan Vulnerability Database” here, also on the vulnerability report page, you can see it says “<= 1.9” which means any version before 1.9 including 1.9 itself.

    Based on that, I wouldn’t recommend running this plugin on your website in any situation.

    Thanks.

    Hello!

    I hope we were successful in helping you resolve your issue with Wordfence! Since we have not heard back from you in the past 2 weeks I will now be marking this support thread as resolved. However, if we still haven’t resolved your issue please reach out to us as we would be more than happy to further assist you!

    Thanks and have a great day!
    Chloe

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Is “Auto ThickBox Plus” safe?’ is closed to new replies.

Tags