Security vulnerability

  • Resolved dljordaneku

    (@dljordaneku)


    4 months ago

    I just got an email informing me of a security vulnerability in the version 2.4.13. Any timetable for a fix?

    WordPress Timetable and Event Schedule Plugin <= 2.4.13 is vulnerable to PHP Object Injection

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter dljordaneku

    (@dljordaneku)

    Any update?

    Plugin Support eugenewhite

    (@eugenewhite)

    Hello there! 

    Sorry to hear you faced such an issue with our TimeTable plugin. And I apologize for the delayed response. 

    Please be informed that we checked the link to the PHP Object Injection vulnerability you shared with us. However, there are no details about it on the side of Patchstack and we’re unsure how to reproduce it and what seems to be the real reason for it. But we take another look at this issue and try to find the cause. You can let us know if you get any details on that. We would appreciate it since it’s unclear where the issue came from. Thank you!

    Thread Starter dljordaneku

    (@dljordaneku)

    I will reach out to them and see what they can give me. I don’t know if the link I provided had this in it or not but they are saying it is related to this CVE.

    https://www.cve.org/CVERecord?id=CVE-2024-39630

    Thread Starter dljordaneku

    (@dljordaneku)

    From Patchstack.

    Hello. They were notified about the issue on?2024-06-20?at?14:21:20 (EEST). Since they have not reacted, the vulnerability has been disclosed.?

    Hi,

    I got this note now as well. Any plans on updating the plugin?

    WordPress Plugin VulnerabilitiesTimetable and Event Schedule <= 2.4.13 – Authenticated (Admin+) PHP Object InjectionDescription

    The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.13 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.Affects Plugins

    https://wpscan.com/vulnerability/c973f262-ac96-41db-817e-bfb23f0ec8b1/

    Thread Starter dljordaneku

    (@dljordaneku)

    @motionskicken I got an email that they were addressing it and I saw an update available on my sites this morning.

    Plugin Support eugenewhite

    (@eugenewhite)

    Hello guys! 

    Yes, we have released the TimeTable plugin version 2.4.14, which resolves the PHP Object Injection vulnerability. 

    Please update the plugin to the latest version and let us know if there’s anything we can help you with. 

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.