Reported critical vulnerability fix? Plugin abandoned?

  • jamminjames

    (@jamminjames)


    10 months ago

    Has MF Gig Calendar been abandoned? The last update was over 7 months ago, and WP says it’s not tested with the latest version.

    This critical vulnerability is being reported, how do we deal with it? When will the plugin be updated, if ever?

    Thanks for any help.

Viewing 6 replies - 1 through 6 (of 6 total)

  • Just as a third party IT engineer, I want to add a quick note about the vulnerability.

    As I checked the report, it seems like this vulnerability requires a privilege at least as contributor.

    Thus it does not mean every visitor can break the database or steal information from it(of course it should be fixed though), so users who manage the site just by themselves or by trusted people would not be affected at least just using it normally at least with this vulnerability.

    IMO it is also an issue that this plugin does not require a proper privilege to mange the plugin setting, it should be done by only administrators.

    • This reply was modified 9 months, 2 weeks ago by Sohei Iwahori.
    Thread Starter jamminjames

    (@jamminjames)

    Thanks, @egmc, that is very helpful.

    Plugin Author Matthew Fries

    (@brewermfnyc)

    Hey all thanks for the interest in the Gig Calendar. @egmc is correct that the “critical vulnerability” is behind the admin login, so it wasn’t super-urgent for me to patch – but also yes, that it should be fixed.

    I’m not planning any new major development on the plugin – I’ve just got too much other stuff going on – but I do want to make sure it keeps working for folks using it. I’m using it on a couple current WP sites without issue. I just haven’t pushed an update that would only tell everyone the current tested version.

    Thread Starter jamminjames

    (@jamminjames)

    @brewermfnyc Matthew, thanks for the update. You say you don’t plan anything major with the plugin, but do you plan on fixing the vulnerability? Thanks.

    @brewermfnyc?

    I’m not sure is this thread is the right place to suggest, though how about adding me as a maintainer for this plugin?

    My motivations is jto use this plugin for my maintaining site ( mentioned in another thread ) for long term.

    If there is not plan for major updates, I could fix some vulnerabilities and keep it running on new PHP versions as much as I can.

    Lets say, if new critical vulnerability has found in the future, and you’re so busy to fix it, I may fix it by myself to use it for my maintaining site, but it can be more beneficial for other users in that way.

    Please have a think about it.

    Thanks.

    Plugin Author Matthew Fries

    (@brewermfnyc)

    @jamminjames – I’m definitely going to fix it!

    @egmc – I’ll follow up with you separately. Thanks for the offer to help!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Reported critical vulnerability fix? Plugin abandoned?’ is closed to new replies.

Tags