Wordfence: MetaSlider has a critical security vulnerability

  • Resolved pracko

    (@pracko)


    1 year, 2 months ago

    Wordfence scan today indicated a critical security vulnerability with this plugin, version 3.36.0.

    Appsero <= 1.2.1 – Missing Authorization
    The Appsero analytics tool used in several plugins is vulnerable to authorization bypass due to a missing capability check on the uninstall_reason_submission function used for feedback submission in versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function intended for administrator use.

    More info at Wordfence: https://www.wordfence.com/threat-intel/vulnerabilities/detail/appsero-121-missing-authorization

    Please fix.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Steve Burge

    (@stevejburge)

    @pracko Thanks for using MetaSlider.

    To the best of my knowledge this was fixed in December. You can see the changelog for version 3.28.2 of MetaSlider. And you can download the current version of MetaSlider to see we’re using 1.2.2 of AppSero.

    But we’re investigating to see why Wordfence would suddenly re-open this today.

    Hi @stevejburge and @pracko,

    Chloe here from Wordfence! I just wanted to reach out to apologize for this mistake – it was an error on our part. Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows was in fact patched in version 3.28.1 and due to an oversight on our part, we mistakenly remarked it as vulnerable. We’ve corrected the record so you should no longer receive a notification that the plugin is vulnerable. We’re investigating how this happened and will implement controls to prevent us from doing this again in the future.

    Apologies again for the mistake! All the best,

    Chloe

    Thread Starter pracko

    (@pracko)

    Great news, thank you!

    Plugin Author Steve Burge

    (@stevejburge)

    Thanks for the quick response and explanation, @wfchloe.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence: MetaSlider has a critical security vulnerability’ is closed to new replies.