Ginto 888,PNXBET ph Login.Recharge Every day and Get Bonus up-to 50%!

Daan Oostindi?n
(@daanzk)

1 year, 6 months ago

Hi. There is an active vulnerability in this plugin, that’s why it has been removed temporarily. See https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/file-away/file-away-39901-authenticated-contributor-stored-cross-site-scripting-via-shortcode

I just wonder if I can help? I’m a developer myself. This is a useful plugin. Let me know.

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Author thomstark
(@thomstark)

1 year, 6 months ago

Sure. I wasn’t aware of this and I clearly do not have time to maintain this these days. Can I bring you on as a contributor or what do you think?

Thread Starter Daan Oostindi?n
(@daanzk)

1 year, 6 months ago

It will take me some time to get up to speed, if other programmers are quicker, be my guest.

Not to discredit @amarthakur88 but the user was created today and this is the only post. Be careful who you trust.
Thread Starter Daan Oostindi?n
(@daanzk)

1 year, 4 months ago
Alternatives? I don’t know.

For what its worth, this fixes the current vulnerability:

Add:
if($class) $class = sanitize_html_class($class);
To:
lib/cls/class.fileup.php on line 20. Right below the two extract(); calls

While you’re add it @thomstark maybe you can add me to the developers and I can attempt to make this plugin PHP 8.x proof.
- This reply was modified 1 year, 4 months ago by Daan Oostindi?n.
glagrotteria
(@glagrotteria)

11 months, 1 week ago

is this fix still available, because I need to make my websites with this plugin safer

jjanthony
(@jjanthony)

9 months, 4 weeks ago

I would love to have this back. I would even consider paying for it if I knew it was going to be updated regularly for security so I don’t keep getting hacked. There’s nothing else with this functionality.

Li-An
(@li-an)

9 months, 1 week ago

I hope there will be a workaround. It works nicely with S2Member and I don’t want to change all my site.

jjanthony
(@jjanthony)

9 months, 1 week ago

i would strongly urge you to remove it now. My site was hacked several times before I realized it was because of this plug in. It sucks because I was unable to find a replacement and have to do it by hand.

Li-An
(@li-an)

9 months, 1 week ago

There is an alternative but much simplier https://wpdemo.dovi42.hu/download-from-files-en/

@jjanthony?: thanks for the alert. The site where I?use the plugin is quite “hidden” – it’s a private site to share files for my work – but I’m concerned in security.

Thread Starter Daan Oostindi?n
(@daanzk)

9 months ago

@li-an I wont trust a plugin that is not available through the regular WordPress Plugin Directory. If you are serious about this project, please make it available.

I had low-key started working on fixing the File Away plugin. Just re-writing and moving code. Unfortunately I now must admit my defeat… the code from this plugin is too much of a mess to even understand the simplest functions. It’ll be much, much quicker just to start over new.

With the original author not responding this plugin is dead anyway.

Li-An
(@li-an)

7 months ago

There are a lot of plugins not available on depot and without any issue – think premium plugins. But I can understand perfectly your concern.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Vulnerability’ is closed to new replies.