What’s the status of the security issue?

  • Resolved Jos Klever

    (@josklever)


    2 years, 7 months ago

    This plugin has been removed from www.ads-software.com 11 days ago (after it was found 2 weeks earlier?) for a known vulnerability published on https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27845 but I don’t see any activity to get this fixed. Can you please give an update on the status and preferably fix the issue?

    This plugin is used on a website of a client and I would like to know if they should remove/replace the plugin or if a solution will be available soon.

    Thanks,
    Jos Klever
    Web Support

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Marko Saric

    (@plausible)

    Thanks for reaching out Jos and sorry for the inconvenience!

    This report was submitted and the plugin was closed temporarily in the WordPress repository: https://patchstack.com/database/vulnerability/plausible-analytics/wordpress-plausible-analytics-plugin-1-2-2-authenticated-stored-cross-site-scripting-xss-vulnerability.

    Our WordPress developers have already submitted a new version of the plugin to the WordPress team for review. These things will take a bit more time before the new plugin will go live. The vulnerability reported only happens if an unauthorized person has gained control over the WordPress admin panel. Otherwise, the vulnerability can’t happen.

    If this causes an issue for you, please use the manual way to insert our snippet to your site while we’re fixing the plugin: https://plausible.io/docs/plausible-script. You could also use a plugin such as this one if you prefer to install Plausible using a plugin: https://www.ads-software.com/plugins/insert-headers-and-footers/

    Thanks for your patience and sorry for the inconvenience!

    Plugin Author Marko Saric

    (@plausible)

    Latest update: After the first review, we were told it’s not enough to fix the issue but that we should review the rest of the plugin too to ensure we are not missing anything. That’s now been done and we’ve submitted the latest version of the plugin for another round of reviews. We’re hoping to get it approved this week!

    Thread Starter Jos Klever

    (@josklever)

    Hi Marko,

    I understand, thanks for the update!

    Jos

    Plugin Author Marko Saric

    (@plausible)

    Our plugin is now back in the WordPress plugin repository. Thank you for your patience!

    Hi, the plugin seems to have been removed again (This plugin has been closed as of May 24, 2022 and is not available for download. This closure is temporary, pending a full review.)
    Do you have any updates on the reason and current status?

    Thanks,
    Yannick

    Plugin Author Marko Saric

    (@plausible)

    Hi!

    WordPress team contacted us again three days ago with one remaining item that they missed in their last review so they closed the plugin temporarily in the WordPress repository. Our WordPress developers have already submitted the fix. We’re hoping it will go live in the next day or two but it depends on the WordPress team and their manual review of our update. Thanks!

    Plugin Author Marko Saric

    (@plausible)

    All fixed with the version 1.2.4 which is now in the official WordPress plugin directory. Thanks!

    Dear Marko,

    great, many thanks for the swift action by you and the Plausible team!

    Plugin Author Marko Saric

    (@plausible)

    you’re welcome! enjoy Plausible!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘What’s the status of the security issue?’ is closed to new replies.