Anthony Thorne

Hi Sam,

This patch does not appear to have fixed the issue.

https://patchstack.com/database/vulnerability/pre-party-browser-hints

The vulnerability appears to be still present. The link above was last updated with the latest release 1.8.19 and still states

Vulnerability history 1 present 0 patched

I’m not 100% sure this is it, but it might be worth looking at the comment I made last week to see if sanitize_sql_orderby sanitizing the order and order by variables helps.

It might be best to reach out to the reporter to see if they can provide more information Muhammad Daffa. Alternatively, Patchstack may be able to shed some light on it [email protected].

Kind Regards,

• This reply was modified 10 months, 1 week ago by Anthony Thorne.

Hello Sam (Plugin Author),

Thank you for your input and the valuable references shared by previous contributors, including the links to Patchstack and the reports by Muhammad Daffa. After reviewing Muhammad’s history of reporting, I’ve noticed a recurring theme of SQL Injection vulnerabilities.

Having examined some of these reports in relation to your current plugin version, I suggest focusing on the file located at plugins/pre-party-browser-hints/includes/common/DAO.php, specifically in the get_admin_hints_query method, at line 140: " ORDER BY $order_by $order". It appears that this section could benefit from an update, possibly along the lines of what follows.

$order_by_sql = sanitize_sql_orderby( "{$order_by} {$order}" );
$new_query['sql'] .= " ORDER BY $order_by_sql";

Kind Regards,

Is there any way I or the client I work for can request a feature change?

The logic would either need to be able to handle posts published between date ranges. Or we gather that info with a query and hand it to the function in the form of post IDs.

Sounds simple enough, but I understand these things never are.

Thanks

Anthony

Thanks for the reply,

I am leveraging the related post feature for the custom related posts section, it works well.

However this case is more specific, I’ve looked at the code here https://github.com/Automattic/jetpack/blob/819bcc51c4e6e3e82b43d526a95219eea1435757/projects/plugins/jetpack/modules/widgets/top-posts.php#L624

My understanding is that it’s getting popular posts in the last 24hrs(published anytime), not the popular posts that were published in the last 24hrs (x hrs/days).

Hi Ahmed,

I have confirmed that disabling your plugin removes the warning.

My guess is that it has something to do with WordPress VIP infrastructure.

They recommend that we use an alternative AMP plugin, however, I would like to get this working or find out if hiding it from other admins is ok?

Thanks

Thanks for the support,

I have identified the issue and it’s not with Jetpack, as above it is within the a MU plugin “I traced the issue where a the_content filter that’s using DOMDocument to parse and add nodes.”

• This reply was modified 4 years, 1 month ago by Anthony Thorne.

I setup a vanilla install of WP, and Jetpack works as expected with inline embeds.

I traced the issue where a the_content filter that’s using DOMDocument to parse and add nodes.

This content filtering works as expected with Jetpack disabled, so its hard to identify where the conflict is.

Changing the priority to later doesn’t help.

Also just to be clear on a few use cases;

With Jetpack active, and module active or deactivated, Facebook links embed and work in the editor but not the front end.

With Jetpack active, and module deactivated, Instagram links embed both in the editor and front end.