Regardic FALSE ALARM VULNERABILITY

Wordfence is reporting a critical vulnerability re Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’). @007me , the pinned post I believe you are referring two was from 12 months ago, but this critical warning is a new one for me and could be due to something else completely.

Details: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpdatatables/wpdatatables-tables-table-charts-premium-631-unauthenticated-sql-injection

I hope the devs will look into this and issue a patch ASAP.

@pracko What you’re referring to is the premium version, which is different from the free version and according to Wordfence it was patches already.

I’m talking about the free version that have this issue.

The problem is that the Lite and Premium version use the same slug (wpdatatables) but different version numbering. As a result the Lite version 3.4.2.17 appears vulnerable ion scans when in fact it’s the Premium version 6.3.1 and older that is vulnerable.

The solution is to use different slugs (pretty much impossible at this late stage), or to align the version numbering of the Lite and Premium plugins. Aligned version numbering should be pretty easy to implement if the TMS-Plugins has to will do do so.

I’ve had the free version for months with no critical vulnerability warning from Wordfence until just now. There appears to be a NEW security issue with the FREE version of the plugin now.

As far as I can see, the new vulnerability is with the Premium edition (and fixed in the latest). But there is a confusion with the Lite edition due to the unfortunate version numbering (see above).

Here is what the Wordfence Vulnerability Database has for all editions of the plugin:
https://www.wordfence.com/threat-intel/vulnerabilities/search?search=wpdatatables

Hi everyone,

We apologize for the delayed response to this post and appreciate your patience.

First, to clarify for @pracko, this report is slightly different but pertains to the same vulnerability mentioned in the pinned post above.

If you examine the description of the flag on the link you sent (https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpdatatables/wpdatatables-tables-table-charts-premium-631-unauthenticated-sql-injection), you will see it flags the premium wpDataTables versions 6.3.1 or lower. Here are some screenshots illustrating this:

In summary, the report indicates that wpDataTables Premium versions 6.3.1 and below have an unauthenticated SQL injection vulnerability. The free/Lite version does not have, and has never had, any SQL capabilities, so it is completely safe from such vulnerabilities. Only our premium versions were affected, but we have released new versions (the current one is 6.5.1), and all versions after 6.3.1 have been fixed.

Regarding @dig49’s suggestion to align the version numbering of the Lite and Premium plugins, our developers tried this, but it caused other issues. They are now exploring alternative solutions.

Finally, addressing @007me’s original question: Our developers and management are aware that many of our Lite version users are frustrated by this false vulnerability flag. This issue arises because security plugins cannot differentiate between our Lite and Premium versions, as they share the same slug name. Our developers are working diligently to find a resolution as soon as possible, though we cannot provide an ETA at this time.

Thank you for your understanding.

• This reply was modified 4 months, 1 week ago by wpDataTables.

Thank you for this update and detailed answer, @wpdatatables !

Hi @wpdatatables Thanks for getting back with a reply.

Why won’t you align the version numbers so they will be identical for Lite and Premium? Won’t it solve the problem?

Hi @pracko,
You’re welcome, we are happy to advise.

@007me, If we align both premium and Lite versions to have exactly the same number and they already have the same slug name, this would cause even more complications and confusion amongst our users and most probably the Security Plugins and Auto-Update Plugins – the Auto-Update Plugin could ‘reroll’ the Premium user’s installation to the Lite version, which would again cause new issues;
So, sadly we are unable to achieve that at this time, but we sent your feedback to our management.

The developers also tried assigning different numbers for the version on the Lite/free Plugin, but sadly, that caused other issues so they reverted it.

They are doing their best to devise a working solution as soon as possible, but we are unable to provide an exact ETA on it.
Sorry for the inconvenience.

Kind regards.

@wpdatatables Thanks again for getting back with detailed explain. Let’s hope hey will find a solution soon and we’ll get rid of this annoying warning.

Hello,
You’re welcome, we are happy to advise.
We will keep following up with the developers. They will do their best to continue trying different ideas to somehow resolve this as soon as possible, even though we still can’t say an ETA on it.
Thank you for your understanding.

Kind regards.