Security Warnings

  • Resolved vegasdood

    (@vegasdood)


    7 years, 8 months ago

    Could you verify that there are no security holes in your plugin please? The site I use this plugin got hacked bad and my Wordfence flags this plugin with a yellow caution. I am trying to narrow down where the security breach was. Thanks in advance.

Viewing 1 replies (of 1 total)
  • Plugin Author Marcel Pol

    (@mpol)

    Hi, thank you for asking this.

    I did check the plugin and the 2.8.3 version fixes a few things.

    I added a Nonce to the settings pages. This could lead to a CSRF issue, but only with a targeted attack and with limited issues. If someone would construct a webpage that does an AJAX-request to your webpage, while you are logged in, it can reset the term_order. Using a Nonce makes this impossible.

    I double checked that only integer values are inserted into the custom database fields. This looks fine to me.

    The validation and sanitizing of 2 options could have been done better. They are now using sanitize_text_field.
    I think this could only have been abused together with a targeted attack mentioned in the first point.

    Please be aware that all of WordPress, theme and plugins have write access to all code. That this code has been altered does not mean that this was the attach vector. I don’t mean this to shrug this off, I just try be clear on it.

    Thank you for your feedback anyway. I hope things end up right for your website.

Viewing 1 replies (of 1 total)
  • The topic ‘Security Warnings’ is closed to new replies.