Why such a high WP version requirement?

Hi,

thanks for your post, and sorry for the trouble.

Yes, TablePress relies on changes in WordPress 5.3, like a simplified code and CSS structure. This allows me to greatly reduce complexity, because I would otherwise have to add version checks in several places. Also, it makes offering support more difficult, because of the variety of versions that I would have to test with.

For users who can’t or don’t want to use the newest versions of WordPress, I recommend to stick to the older versions of TablePress. As for ClassicPress, which I have never tried myself, you could also investigate using WordPress again, but with the “Classic Editor” plugin.

I’m really sorry that all this potentially causes inconveniences for you, but as I’m only doing this as a hobby, this is all that I can provide around TablePress. Thanks for your understanding.

Regards,
Tobias

Thanks for the reply and as a fellow plugin developer I completely understand your position.

I want to ask one thing: a csv injection vulnerability has been discovered in TablePress 1.9.2 (link below). Would you be prepared to release a 1.9.3 just to fix that one thing, and preserve WP 4.9.x compatibility with just that particular release?

https://medium.com/@Pablo0xSantiago/cve-2019-20180-tablepress-version-1-9-2-csv-injection-65309fcc8be8

Hi,

I don’t know why Pablo writes that TablePress 1.10 “fixes” this, to be honest.
1.10 doesn’t contain any changes in this regard. Basically, TablePress is just used as a text editor here, and any other normal text editor can be used to create such a malicious CSV file. And you wouldn’t say that Notepad has a security issue, would you? That’s why, in my opinion, this is more of an issue in Excel.

Regards,
Tobias

Well that’s OK, if you don’t feel this is a risk then that’s good, I can continue using 1.9.2. But now that the vulnerability has been published by WP Security Bloggers, it might be a good idea for you to contact them to establish why they feel this is a vulnerability, especially if 1.10 doesn’t change this aspect of the plugin. I’m not a security specialist, just a humble plugin developer!

@tobiasbg you say 1.10 doesn’t change anything in this regard – but the Medium post claims that to mitigate the vulnerability, the export ensures that fields cannot start with formulaic symbols. Are you saying that this IS still a possible issue in 1.10?

This has been published on WPVulnDB now, so you will probably see more attention/questions about this coming your way. Just FYI https://wpvulndb.com/vulnerabilities/10016

Hi,

@zigpress:
Yes, in my opinion, you can continue to use TablePress 1.9.2 on older versions of WordPress.
I’ll definitely try to reach out to them and to Pablo, who reported this! It’s very weird that they published this with wrong information…

@dmchale:
Yes, this is still possible with TablePress 1.10. There were no changes to how the CSV export treats formulas.
However, I firmly believe that this is not a vulnerability in TablePress! TablePress creates CSV files according to the common definition. As mentioned above, a malicious CSV file could be created with any text editor! Excel should be checking this more thoroughly when opening a CSV file.
Thanks for the link to WPVulnDB! I’ll also try to reach out to them.

Regards,
Tobias

Hi,

@zigpress:
Yes, you can continue to use TablePress 1.9.2, if you can’t update to TablePress 1.10.
I already contacted the reporter of this issue and the WPVulnDB team.

@dmchale:
Yes, this is still an “issue” with TablePress 1.10, because nothing changed in the code of the CSV export since 1.9.2. However, this is not an actual issue in TablePress, but in Excel (and other programs that simply don’t check the CSV file they are opening for malicious content). One could use a normal text editor (like Notepad) or programming IDE (like Atom or Visual Studio Code) to create a bad CSV file for this problem. So, this is nothing special in TablePress, but a problem in Excel, etc.

Regards,
Tobias

Hi,

the reporter of the issue confirmed that this is a very low risk problem. Users don’t have to worry here.

Best wishes,
Tobias

Yes, it certainly seems that websites aren’t at risk. Thanks Tobias.

Hi,

sure, no problem!

Best wishes,
Tobias