Kkjili casino Login,Big Baller Club login.Recharge Every day and Get Bonus up-to 50%!

Resolved CGS Web Designs
(@cgscomputers)

1 year, 3 months ago

An unpatched security vulnerability exists in the current version of the plugin. Details are at https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/molongui-authorship/molongui-4618-reflected-cross-site-scripting and https://patchstack.com/database/vulnerability/molongui-authorship/wordpress-molongui-plugin-4-6-18-cross-site-scripting-xss-vulnerability

The current recommendation is to uninstall the plugin until patched & the indication is that the plugin vendor has not replied to notification of the vulnerability.

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Molongui
(@molongui)

1 year, 3 months ago

Hi @cgscomputers,

We have just released an update (4.6.19) with a fix for this.

Thanks for reporting!

nerdlogger
(@nerdlogger)

1 year, 3 months ago

Hi, I don’t believe the XSS issue has been resolved yet. Atleast not according to patchstack:

https://patchstack.com/database/vulnerability/molongui-authorship/wordpress-molongui-plugin-4-6-18-cross-site-scripting-xss-vulnerability

Plugin Author Molongui
(@molongui)

1 year, 3 months ago

Hi @nerdlogger,

The report you link is actually for versions <= 4.6.18. I know the title shows 4.6.19, but it is because it is a dynamic field, so it connects to WP plugin repo and gets the latest version available for the plugin. If you inspect the URL you shared, you will see the report is for version 4.6.18 (and lower)

We notified Patchstack as soon as we released the update with the fix. We haven’t heard back from them yet, but surely we will as soon as they check the fix. And sure they will update their report.

Thanks for caring!

nerdlogger
(@nerdlogger)

1 year, 3 months ago

Hi,

I don’t think that’s the case……This just came out today and specifically mentions version <= 4.6.19. I doubt that wordfence and patchstack are just “hard linking” to the www.ads-software.com version tag.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/molongui-authorship/molongui-4618-reflected-cross-site-scripting

Thanks,

Thread Starter CGS Web Designs
(@cgscomputers)

1 year, 3 months ago

According to the original reports, the current version is also vulnerable.

Plugin Author Molongui
(@molongui)

1 year, 3 months ago

Patchstack shows latest version is also vulnerable because they haven’t checked the fix it includes yet. Once they do (it is not an automatic process, but a human researcher the one who needs to check the code again), they will update their report and the warning will go away.

Obviously, and until they do, they will mark all versions from 4.6.18 on as vulnerable (because they haven’t checked yet the latest code and last notice they have is that the code they checked had that vulnerability).

By the way, they report the vulnerability as exploitable by unauthenticated users, which is wrong. Only users with access to the Dashboard and Editor privileges (or higher) and hacking skills could exploit it.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Unpatched Security Vulnerability’ is closed to new replies.