WordFence Citing Secuity Vulernability

  • Resolved mssbee

    (@mssbee)


    1 year, 10 months ago

    Wordfence is citing that there is a security vulnerability. I am running version 4.3.0.

    Looking at the Wordfence article’s documentation and the plugin changelog I am confused.

    The changelog shows version 4.4.0 (10 JAN 2023) as the current version; however, the download file is version 4.3.0. Also, there is no option to update to the plugin 4.4.0 on the website.

    The Wordfence article concerning the vulnerability cites “The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0.” Yet further down in a table on the page, it says:
    Remediation Update to version 4.3.0, or a newer patched version
    Affected Version<= 4.2.1
    Patched Version 4.3.0

    Would like to know if I am running a secure version of the plugin.

Viewing 4 replies - 1 through 4 (of 4 total)

  • no updates on this? Uninstalling…

    Plugin Author WarfarePlugins

    (@warfareplugins)

    Hi We just received word back from Wordfence that they have updated their record.
    They corrected their typo stating that we are up to 4.4.0 and corrected it to read 4.3.1 which the current version.
    We now need to wait for WordPress Repo to update, and then Wordfence will update their vulnerability alert.

    And for those who are interested, the vulnerability they are reporting is not even technically a vulnerability. Basic they see one instance where, if someone is logged in as ‘user’ (any level from admin to subscriber) then that person can cause another user to have their Facebook token temporarily disconnected. So basically they agree with our question, “Who would go through all that hassle to trick someone into disconnecting Facebook.”

    Regardless of the severity of the “vulnerability” it has been fixed and we are now waiting for WordPress repo to update.

    Thank you for your patience

    Will you update the downloadable version from your site to have the most recent version even though you are waiting for the WP repository to post it?

    I see on https://warfareplugins.com/products/social-warfare/ the version that can be downloaded is still at 4.3.0.

    Thanks.

    Plugin Author WarfarePlugins

    (@warfareplugins)

    The updates have been released.
    It is best to update Pro first, then update core if you are using the paid version.
    Hopefully Wordfence will fix their alert soon also.
    Thanks for your patience.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WordFence Citing Secuity Vulernability’ is closed to new replies.