alexeydemidov

It seems that patchstack messed with reporting. There is a new CVE-2024-4095 which was fixed in 1.8.5.8 https://plugins.trac.www.ads-software.com/changeset?sfp_email=&sfph_mail=&reponame=&old=3094116%40jquery-collapse-o-matic&new=3094116%40jquery-collapse-o-matic&sfp_email=&sfph_mail= . Patchstack didn’t bother adding this CVE or paying attention that version 1.8.5.8 isn’t vulnerable but just marked the old –?CVE-2023-40669?as reopened and affecting all versions including 1.8.5.8. These vulnerabilities are similar but different – the old one was an XSS injection through the ‘tag’ attribute and the new one through the ‘id’ attribute. Wordfence reported the new CVE https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/jquery-collapse-o-matic/collapse-o-matic-1858-authenticated-contributor-stored-cross-site-scripting-via-shortcode but didn’t read the description and marked that 1.8.5.8 is vulnerable even though the description clearly states versions up to 1.8.5.7. They seem also imported Patchstack info and marked the old CVE-2023-40669? as unpatched https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/jquery-collapse-o-matic/collapse-o-matic-184-authenticated-contributor-stored-cross-site-scripting

Both Wordfence and Patchstack need to get some strongly worded emails and fix their databases.

• This reply was modified 9 months, 2 weeks ago by Yui.
• This reply was modified 9 months, 2 weeks ago by alexeydemidov.

According to Patchstack’s Disclosure Policy, they are supposed to contact the software author 30 days before publishing a vulnerability in order to provide time to prepare patches. You may want to contact them to check why they failed to follow their own policy.

I submitted a pull request which fixes this vulnerabilities 3 weeks ago. https://github.com/baden03/collapse-o-matic/pull/9