Plugin withdrawn from www.ads-software.com

Plugin is waiting for review from the www.ads-software.com staff.

Fun fact: the “staff” at www.ads-software.com (or better said, the plugins team) is made entirely out of volunteers. As in – no one gets paid. As you can imagine, they have to deal with more issues than this one.

I know it seems stressful, but the best thing we can do right now is sit patient and let them “do their thing”.

We’re here to support this plugin and we’ll iterate on it as long as it takes for it to be reinstated.

Warm regards,
/Cristian.

Cristian,

We are all well aware of the timelines involved in managing security issues like this, that’s not the concern.

Our concern is the exposure to our clients’ sites, if there is indeed a remotely exploitable vulnerability. If it’s not in the upload functionality, then it’s not something we can manage through the plugin settings, and therefore our only real remedy is to disable the plugin completely until the update/patch is released. Obviously, this is going to have a non-trivial impact on the look/feel/performance of our clients’ sites, so if we’re going to take a drastic step like disabling the plugin, we’d like to know if it’s a reasonable response to the security exposure.

Normally, until updates/patches are released, it would be a best practice to share meaningful mitigation measures. The lack of guidance in this respect is concerning, as we are all feeling exposed at the moment.

None of us can afford to have our clients’ sites compromised or hacked. Is there nothing you can tell us in terms of mitigation strategies?

Soooo. Is anyone just going to give up and disconnect this plugin? This length of time without some news is not good.

I understand people are concerned, but at this stage (given that it’s a bug affecting every version of this plugin with no patch yet avilable), it’s impossible to reveal any more specific information without also increasing the risk of said bug being exploited. In this particular cirsumstance I believe ‘security by obscurity’ is the lesser evil. Just my two cents.

I won’t be disabling on my client sites. It’s a great plugin that I’ve put a lot of time into configuring. Unless something changes, the developers deserve the benefit of any doubt here.

Security issues are a fact of life. I respect that it’s being addressed as quickly as possible and that details are not being published.

To the developers, thanks for being as responsive as you can be in communicating with us all here.

Just a quick update: plugin is still pending review. FWIW – the issue will be disclosed, in detail, here, once we have an approved patched version live ??

I can’t recommend disabling or not disabling the plugin – I’d leave that up to you. Some people hear “security issue” and think the worst. Some are more reserved in the matter. It’s all very subjective.

Obviously, if you don’t feel comfortable keeping it active, by all means, disable it until the patch is released to the masses.

Cheers,
/Cristian.

= 2.40.1 – Jan. 25, 2020 =
* improved data sanitization

It appears that the patched version is live, and the plugin is no longer suspended. I’ve updated all my client sites.

In terms of subjectivity of disabling vs. not disabling, that’s based on a pragmatic assessment of other plugins in the WordPress space, that allow user submissions “from the wild”, as it were. Many recent vulnerabilities exploit weaknesses in user authentication/validation, along with improper input field sanitization. You can’t really blame us for being paranoid.

I’m glad that the fixed version is live, and that everyone has worked hard to fix the problem.

Now, do you mind telling us what all the hubbub was about? ??

Here’s the diff for the current (version 2.40.1, revision 2233202) and previous (version 2.40.0, revision 2211492) revisions: https://plugins.trac.www.ads-software.com/changeset?old=2211492&old_path=strong-testimonials&new=&new_path=strong-testimonials

I’m no expert, but if I’m interpreting the code and the changes correctly, there was a way for a malicious POST request to inject code due to improper sanitization.

Also the domain was changed for the link to the paid version, from strongtestimonials.com to wp-modula.com. Both domains were registered 2 months apart in 2017 with the same registrar.

• This reply was modified 4 years, 9 months ago by Bart Kuijper.

@cristianraiber-1 Thanks for keeping us informed and for the quick update. Keep up the good work!

Update is out, in case you guys haven’t seen the backend notification.