Security vulnerability

I have the same issue as of this morning. Can anybody help?

Hi @wordmatej and @aleksandra0agrecalc,

thanks for your post, and sorry for the trouble.

I regard this report as invalid. Please see https://www.ads-software.com/support/topic/wordfence-alerts-critical-for-vulenrability/?view=all#post-16068890 and my other replies in that thread for the current status.

I’m currently working together with Wordfence to remove the underlying false entry from the global database that all this is based on.

Best wishes,
Tobias

Ok, thanks.
Best regards

Hi @tobiasbg,
Thank you so much for your quick response, much appreciated. Hopefully the issue gets resolved soon.
The plugin has been great with the tables, so kudos for creating it. It’s also very easy to add the custom CSS to it.
Cheers again, and all the best,
Aleksandra

Hi,

no problem, you are very welcome! ?? Good to hear that this helped!

Thanks for the kind words, I really appreciate it! Good to hear that you like TablePress so much!

Best wishes,
Tobias
?
P.S.: In case you haven’t, please rate TablePress here in the plugin directory. Thanks!

Thanks a lot again and for quick reply.
Best regards

Hi,

no problem! Always happy to help!

Best wishes,
Tobias

Hi Tobias,

I don’t understand why you just don’t disable exports or replace the format. Leaving it in is continuing to perpetuate the issue and it will lead to insecurities if users start ignoring Wordfence vulnerability critical warninngs.

Thsnks

Hi @woocomuser,

disabling exports is not an option, I’m afraid. It’s a very much needed and useful feature for users to create backups of their tables via exporting, or for data migration of tables from one site to another.

The same for formulas in general: TablePress is a table and spreadsheet plugin and many users use math formulas for calculations. Thus, it’s vital that these are exported as well. Note that TablePress itself only supports safe formulas.
Unfortunately, just removing/stripping potentially malicious formulas is not really possible, as there’s such a wide variety and so many way to obfuscate them. Otherwise, I would of course already have done that.

In addition, I’m of the strong opinion that TablePress is not to blame here:
First, a site would already have to be compromised for an attacker to do something malicious. Then, the victim would have to have re-enabled a dangerous Excel feature in the Excel program options (one where Microsoft explicitly says “not recommended”). And on top of that, that user would have to ignore at least to very clear security warnings.

I was in fact already able to convince Wordfence of this, but their notifications rely on the global CVE security database. I’ve already contacted the responsible organization, MITRE, regarding removing that entry, but unfortunately haven’t heard back from them. So, until they remove the entry, we’ll have to live with that warning it looks like. Please believe me that I’m the last person that wants this. As you can imagine all this has put a severe level of work on me in the last weeks.

Regards,
Tobias