Patch for new vulnerability?

I have also received this vulnerability warning from Wordfence, and that there is an 8.5.0 patch available.
?https://www.wordfence.com/threat-intel/vulnerabilities/id/43810a17-89b4-44f5-887e-1ad0989ea5b4?source=plugin

Thanks

Ditto! I’ve never seen Wordfence expose a vulnerability and say “here’s the plugin’s patch” but there’s nothing there… And 8.5.0 rather than 8.4.1 seemed odd too.

Cleared every cache everywhere, wondering if it was my ISP’s cache or something, but the site shows no available update either.

Should we revert to 8.3.1? Or just ensure Firewall rules are Updated – do the “Manual Refresh”?

Will post to Wordfence too. @mmaunder @wfryan @wfmattr

@russellbalnig right, that’s what we’re talking about. There is no 8.5.0 there to download. Download button just downloads 8.4.0. Sidebar stats say “Current Version” 8.4.0

@abuzon that’s it, I am waiting for a response from WooCommerce through email, after they requested more information, which I provided.

This really looks like a miscommunication to me. 8.5.0 was released Jan 7th according to their github, out for a bit but withdrawn because of an unrelated issue. You can see the issues in several of the posts in this forum. Automattic folks have been saying that they’d have v8.5.1 out by Monday.

Wordfence likely didn’t know that it was withdrawn and waited their few days before releasing the information about the vulnerability and here we are with a medium severity vulnerability and no patch at the moment. I’ve taken my shop offline for the weekend as a result.

• This reply was modified 10 months, 2 weeks ago by James Huff.
• This reply was modified 10 months, 2 weeks ago by arcane.

I’ve had my site down since discovering the issue. Will now leave it down till version 8.5.1 Monday.

Thanks for the information @arcarcane2012

También alertamos mismo aviso. “WooCommerce <= 8.4.0 – Scripts entre sitios reflejados”. Estamos preocupados. Gracias a todos por las novedades.

Hi all. We’re looking at this now as a matter of urgency. Ram Gall one of our senior threat analysis is on the case and will have an update shortly. Within 60 mins. We’ll include an advisory on what to do given the current state of play. Thanks for your patience.

Mark Maunder

Hi All,

It looks like this was in fact a miscommunication – Version 8.5.0 containing a patch was not only pushed to github but also to the WordPress SVN, and an entry mentioning the XSS was noted in the 8.5.0 changelog which cued us into the vulnerability in the first place.

Our standard process is not to disclose vulnerabilities until they’re patched – but in this case it looks like 8.5.0 was rolled back. The bad news is that the patch is publicly available meaning that it’s now trivial for any attackers to find the same vulnerability – it would be public at this point even if we didn’t have our vulnerability entry.

The good news is that it’s Reflected Cross-Site Scripting, which requires user interaction, and all Wordfence users, including Free Wordfence users, as well as users of almost all other WAF products from other providers, should be protected from this type of issue.

While Cross-Site Scripting vulnerabilities can have Critical impacts, the threat posed by this particular vulnerability is fairly low – don’t click on any suspicious links, and make sure you have a firewall like the Wordfence Firewall installed, and you’ll be fine. We’re going to mark it unpatched for the time being and keep an eye out for when a full patch is released.

• This reply was modified 10 months, 2 weeks ago by ramwf.

Will have something on the Wordfence blog and via the WordPress security email list shortly.

An update – after further review, the vulnerability was actually patched in version 8.4.0, meaning the current version is not vulnerable. We’ve updated our vulnerability record to reflect this and will be revisiting our processes to ensure this type of issue doesn’t happen again.

Thanks,
Ramuel Gall

It’s a false-positive. This vulnerability was already fixed in 8.4.0 (5 weeks ago). 8.4.0 is not vulnerable.

Seems like this is quite the mess-up from WordFence, imho.