Version 4.74 Vulnerability?

@diver8642

You’re welcome! ??

Funny how it only showed up after the last update as I haven’t seen it before. In any case thanks to Red Sand for some clarification. I had disabled WP Spamshield but the notification still showed up so I didn’t relate the two. I concur that WP Spamshield is a great plugin and I use it on all my websites. ??

Soooo, WP 4.7.5 just came out and was auto installed as it had important security updates. But they didn’t bother to close the Host Header Injection in Password Reset issue?

• This reply was modified 7 years, 6 months ago by jasko40.
• This reply was modified 7 years, 6 months ago by jasko40.

Hi @jsko40,

You are correct. 4.7.5 does not fix that issue. I was surprised to see that as well. However, all sites that have WP-SpamShield 1.9.9.9.9 or higher installed, will be protected.

– Scott

Just a note, after installing WP-SpamShield 1.9.9.9.9, a GravityScan run on the site still reports the vulnerability and actually changed the priority from low to high. Not sure why. GravityScan is a site scanner from outside wordpress newly offered from WordFence. Yesterday was also my first use of that GravityScan, which initially pointed out the problem and caused me to find this support post and your plugin as a mitigation option. Thanks for doing what you do Scott!

• This reply was modified 7 years, 6 months ago by jasko40.

It’s likely detecting your site’s version of WP and cross-referencing it with a vulnerabilities DB. That’s likely why it still reports the vulnerability, since WordPress had not patched it yet.

If you’d like more info on how WP-SpamShield mitigates the threat, feel free to check out this blog post.

I’m glad they have that resource though. Excellent. ?? We’ll start giving it a test.

I’m glad you were able to find this post, and WP-SpamShield.

You are very welcome! We’re glad to help! ??

@localsearch No. I just got the same message with 4.7.5 – I protest that there should be some link to the derivation of alleged “…1 known security vulnerabilities” in order to justify putting such messages on dashboards without qualification. Poor plugin work if you ask me.

A link in the warning message takes [me] here: https://wpvulndb.com/wordpresses/475 but this does not return any warm-and-fuzzy information as it just makes me feel that there is more hanky-panky in the form of a virus as there is nothing legit looking to the site uri.

If this is a WP thing then it should state such. It appears a third party thing that I did not load on my instance, so where is it coming from and who put it there. This should be the biggest issue, now that we know it IS legit.

@tradesouthwestgmailcom @localsearch

We’re way ahead of you. ??

All of these concerns have already been addressed in updates that have been released since this thread started. If you haven’t upgraded to the latest version — 1.9.11 — please do so.

No. I just got the same message with 4.7.5

In v 1.9.10+, you would not see that. Unfortunately WordPress did not patch the issue in 4.7.5, so it is still a problem. But, again, WP-SpamShield completely mitigates the threat. See this blog post for more details.

A link in the warning message takes [me] here: https://wpvulndb.com/wordpresses/475 but this does not return any warm-and-fuzzy information as it just makes me feel that there is more hanky-panky in the form of a virus as there is nothing legit looking to the site uri.

If this is a WP thing then it should state such. It appears a third party thing that I did not load on my instance, so where is it coming from and who put it there.

That was already addressed 11 days ago. Since version 1.9.9.9.9, WP-SpamShield adds information about the source of the alert, that the alert is provided by WP-SpamShield, and that data is provided by the WPScan Vulnerability Database, along with a link to the homepage of the WPScan Vulnerability Database site. (The site is a well-known and trusted resource among WordPress security professionals.)

This thread is a bit of a dead horse at this point.

If anyone has any further issues or questions on this topic, please address them to the plugin’s main support page and we’ll be happy to help.

– Scott

So who is Red Sand Media Group and where does this warning message come from? I believe that is the most concerning question, that I would have.

And then finally, I don’t care about the patches and what your people consider an _answer_ to the questions that you say were already addressed… I am looking for the validity and the purpose to post something on a Dashboard that has no real message value or source tag indicator.

You send me off to a link and it has some good info. But when the average person sees a _warning_ on a Dashboard they tend to get itchy and uncomfortable with it being there. Try toning down the presence or be a bit more concise on WHY the message is appearing. I love WP-Spamshield but if I had known that is where it was from—and why—then I would not be here (beating dead horses. lol).

It could be that I have been using WP-Spamshield for years and this is the first time I have ever [noticed] ANY messages. If the warning would say “WP-SpanShield says….” on it then I would not have to wonder why a discouraging message has taken over my personal space. Sometimes less is better.

@tradesouthwestgmailcom

So who is Red Sand Media Group and where does this warning message come from? I believe that is the most concerning question, that I would have.

Um, we’re the developers of WP-SpamShield.

And then finally, I don’t care about the patches and what your people consider an _answer_ to the questions that you say were already addressed… I am looking for the validity and the purpose to post something on a Dashboard that has no real message value or source tag indicator.

The validity comes from the fact that we’re helping inform users that their site has a serious security vulnerability that needs to be addressed. We’ve always had a heavy focus on security. Anti-spam and security cannot be separated.

It could be that I have been using WP-Spamshield for years and this is the first time I have ever [noticed] ANY messages.

WordPress zero-day vulnerabilities (aka unpatched vulnerabilities) don’t come a long that often. If you keep your site up to date, and there are no zero-day vulnerabilities, you’d never see a notice.

I would not have to wonder why a discouraging message has taken over my personal space.

I’m sorry you felt discouraged by it, but that’s not its purpose. It’s purpose is to let a user know that there is a security vulnerability in their current WordPress install. That’s a serious issue that can lead to your site being hacked, so the issue needs to be addressed. If the site is not on the latest version, then normally upgrading will help take care of it. When you have a zero-day, then other measures will need to be taken.

We’re doing that to help people…I would hope that comes across. If you’re in danger, wouldn’t you want a friend to warn you? That’s all we’re trying to do.

Try toning down the presence or be a bit more concise on WHY the message is appearing. I love WP-Spamshield but if I had known that is where it was from—and why—then I would not be here

Right…and what I’m saying is that we’ve already done this. That’s already been taken care of. We’ve literally done exactly what you’re asking.