Update

This plugin seems to be dead.

Moving here: https://www.ads-software.com/plugins/related-posts-for-wp/

Yeah and you might want to change plug ins it appears that there is a security vulnerability
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yet-another-related-posts-plugin/yarpp-53010-missing-authorization

Hi @kkow We’re looking into the issue. Thank you for your patience.

@jeffparker Please, kindly update your plugin vulnerability issue as soon as possible. Thanks

We have reached out to Patchstack, who has published this, for more information. We don’t seem to have any record of being notified by them. We have since reached out to them and are awaiting details on how to replicate the bug. It should be resolved shortly after we get the necessary information from them.

As noted by Patchstack (the one that found the bug and published the report), this issue has “a low severity impact and is unlikely to be exploited.”  …as per https://patchstack.com/database/vulnerability/yet-another-related-posts-plugin/wordpress-yet-another-related-posts-plugin-yarpp-plugin-5-30-10-broken-access-control-vulnerability

Again, thank you for your patience.

YARPP (@jeffparker)

Wordfence has posted on this security issue here: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yet-another-related-posts-plugin/yarpp-53010-missing-authorization

Please, do fix a.s.a.p?

Thanks,
Trish

Hi @trible We’re on it. Hope to hear back from Patchstack soon.

Hi all, Really Simple Security is listing this vulnerability this way:

————

Access violation vulnerability in YARPP – Yet Another Related Posts Plugin 5.30.10

• CVE-2024-43919

• Severity: medium-risk
• Status: Open
• Publication: August 26, 2024

The YARPP plugin for WordPress has a security issue that allows unauthorized access. This means that anyone can perform actions without being properly authenticated.

We’re yet to hear back from Patchstack. Followed up with them again today.

@pjvermij it seems overstated. Patchstack is the one that reported the bug. They themselves have assessed it as “a low severity impact and is unlikely to be exploited.” (published on their site) Given we’ve not been told as yet what the actual issue is, we’ll concur until we find out more!

Update: We’ve heard back. There is zero risk as the “bug” is in a section of code that isn’t even referenced anymore (dead code). Will address.

@jeffparker

Are you planning a release to remove this dead code?
This would allow security tools to consider that the flaw is no longer present, even if it doesn’t actually exist.

Thanks

@jeffparker: That really would be great, since I love the plugin ??

@jeffparker: Please add my name to the list of those who are eager to see the “dead code” removed from the plugin.

Patch coming later today.

New version with patch is live! Please update to version 5.30.11 or newer.

https://www.ads-software.com/plugins/yet-another-related-posts-plugin/#developers

We have notified Patchstack (reporter of bug). They should mark this as resolved soon, which then should make its way to Wordfence and others.

Thank you so much for your patience through this. Please update ASAP.