Will the security vulnerability CVE-2023-33998 be fixed?

  • Resolved sao987

    (@sao987)


    1 year ago

    I’ve been using this plug-in for a long time. It’s the most flexible free plugin I can find that allows me to use my own svg files in a block theme.

    With the php fix provided by @ov3rfly, this plug-in served me very well. However, now with CVE-2023-33998, it appears I have no choice but switch to another one.

    Anyone have any recommendation? Thanks a lot

Viewing 9 replies - 1 through 9 (of 9 total)
  • Ov3rfly

    (@ov3rfly)

    FYI, the impact of this vulnerability seems pretty low:

    This makes it possible for authenticated attackers, with subscriber-level access and above, to change the order of social icons.

    Source wordfence.com vulnerability database
    Thread Starter sao987

    (@sao987)

    Thanks for your reply @ov3rfly and also thanks for your old fixes.

    I did see that it’s only a vulnerability to change social icons order, but since my site has over a thousand registered subscribers it’s an issue…

    Anyway, I guess I will probably delay any change until one day someone hack the order of social icons, since I can’t find another similar plugin that doesn’t cost anything

    Ov3rfly

    (@ov3rfly)

    You can add missing capability check in cnss_save_ajax_order function in easy-social-icons.php line 768 like this:

    function cnss_save_ajax_order() {
	if ( !current_user_can( 'manage_options' ) ) wp_die( 'CVE-2023-33998 fix' );
	global $wpdb;
	...
    Thread Starter sao987

    (@sao987)

    @ov3rfly Wow! I can’t thank you enough for fixing this plugin again, extending its life once more!

    Plugin Author cybernetikz

    (@cybernetikz)

    Hello,

    code fix suggested by @ov3rfly , updated to new version release 3.2.5

    thanks @ov3rfly

    Ov3rfly

    (@ov3rfly)

    Thanks for adding the capability check and the other fixes mentioned here.

    FYI, we made two more changes in line 1203 and 1288:

    target="_blank"

    Changed to this:

    target="_blank" rel="noopener nofollow"

    And we made a change in line 1215:

    return strtolower(preg_replace($pattern,'-',$str));

    Changed to this:

    return trim(strtolower(preg_replace($pattern,'-',$str)),'-');
// remove leading/trailing - char

    Line numbers as in version 3.2.5 of plugin.

    By the way, contact form on your website seems not working, getting “403 Forbidden” in ajax when posting a form from here.

    Thanks for the plugin.

    Thread Starter sao987

    (@sao987)

    @cybernetikz Welcome back and thanks for the update!

    @ov3rfly Thanks for these SEO and security enhancements!

    Plugin Author cybernetikz

    (@cybernetikz)

    hello,

    By the way, contact form on your website seems not working, getting “403 Forbidden” in ajax when posting a form from here.

    @ov3rfly can you please tell how to reproduce this scenario ?

    Ov3rfly

    (@ov3rfly)

    1. Open your website https://www.cybernetikz.com
    2. Scroll down to “Contact Us” footer or open “Contact Us” page
    3. Enter E-Mail and Message and click “I’m not a robot”
    4. Open Browser Console
    5. Click “Send now” or “Send your message”
    6. Read this in Browser Console (while sending anim keeps spinning):
    POST https://www.cybernetikz.com/wp-json/contact-form-7/v1/contact-forms/79/feedback - 403 (Forbidden)

or

POST https://www.cybernetikz.com/wp-json/contact-form-7/v1/contact-forms/48/feedback - 403 (Forbidden)

    Maybe something blocks POST requests to WordPress REST API calls.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Will the security vulnerability CVE-2023-33998 be fixed?’ is closed to new replies.