bcolflesh

Same here, not good.

Well, it’s definitely not resolved, as you cannot remove Zip AI from your plugin, which makes no sense.

You just released a plugin update and removing Zip AI completely is not included.

Thanks for the explanation – I see the latest 6.4 update has not gone well on various forums for other reasons and I’m sure this is a small issue/workaround in comparison.

I refactored that section of my plugin quick to use single instead of double quotes on the JavaScript injected img tag, but man, it doesn’t seem smart at all to do this – what are people with plugins they didn’t make and no expertise/support going to do when this breaks their site?

If you click on the original reporting link there:

https://wpscan.com/vulnerability/1e733ccf-8026-4831-9863-e505c2aecba6

“The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.”

You have to sanitize input to prevent PHP Object Injection.

If you email [email protected] maybe they can put you in touch with Dao Xuan Hieu before he publishes the PoC on Saturday.

The link explains exactly what wrong, they are trying to help you by not disclosing the exact code – they must have been contacting you, trying to get you to fix this.

You need to fix this ASAP before you are removed from the plugin repo.

You don’t know, but the largest WordPress threat company on Earth does – that’s not good:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/expand-maker/read-more-accordion-322-authenticated-administrator-php-object-injection

LOL, I saw the update notification and came here to see how many people got hosed before I made myself the guinea pig – maybe I’ll wait until tomorrow for the 2.3.x update(s).

Wordfence tagged everyone using this plugin and said to deactivate and delete ASAP yesterday – can we get an update?

I just got back and tried the update again, this time it worked – must be an issue on the WordPress version checking side – thanks for replying.

Anyone know where this query INSERT INTO?wp_options?(option_name,?option_value,?autoload) VALUES (‘wp_collect_spectra_blocks_count_batch…

is happening that keeps failing so I can stop it?

Note that even with autoload off, Spectra is still trying to make the queries and failing per my log (old log, but new lines are the same) – turn on WP_DEBUG and check for yourselves:

2023/01/07 10:36:35 [error] 1127#1127: *40274 FastCGI sent in stderr: “PHP message: PHP Warning: Packets out of order. Expected 3 received 2. Packet size=60 in /var/www/html/myhost.com/public_html/wp-includes/class-wpdb.php on line 2187PHP message: PHP Warning: Packets out of order. Expected 3 received 2. Packet size=60 in /var/www/html/myhost.com/public_html/wp-includes/class-wpdb.php on line 2187PHP message: WordPress database error MySQL server has gone away for query INSERT INTO?wp_options?(option_name,?option_value,?autoload) VALUES (‘wp_collect_spectra_blocks_count_batch_a0a4292e5f6a79959c087deeaa’, ‘a:3975:{i:0;a:2:{s:4:\”data\”;i:149806;s:11:\”list_blocks\”;a:68:{s:21:\”uagb/advanced-heading\”;a:11:{s:4:\”slug\”;s:0:\”\”;s:16:\”admin_categories\”;a:2:{i:0;s:7:\”content\”;i:1;s:4:\”core\”;}s:4:\”link\”;s:16:\”advanced-heading\”;s:3:\”doc\”;s:16:\”advanced-heading\”;s:5:\”title\”;s:7:\”Heading\”;s:11:\”description\”;s:57:\”Add heading, sub heading and a separator using one block.\”;s:7:\”default\”;b:1;s:9:\”extension\”;b:0;s:8:\”priority\”;i:2;s:10:\”deprecated\”;b:0;s:14:\”dynamic_assets\”;a:1:{s:3:\”dir\”;s:16:\”advanced-heading\”;}}s:15:\”uagb/blockquote\”;a:11:{s:3:\”doc\”;s:10:\”blockquote\”;s:4:\”slug\”;s:0:\”\”;s:16:\”admin_categories\”;a:1:{i:0;s:6:\”social\”;}s:4:\”link\”;s:10:\”blockquote\”;s:5:\”title\”;s:10:\”Blockquote\”;s:11:\”description\”;s:45:\”Display qoutes/” while reading response header from upstream, client: cli.ent.ip.addy, server: ser.ver.ip.addy, request: “POST /wp-admin/admin-ajax.php HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php/php7.4-fpm.sock:”, host: “myhost.com”, referrer: “https://myhost.com/wp-login.php”

Holy mackerel, I had no idea they injected that tracking nonsense – totally unethical and ineptly programmed – what a stupid debacle.

This definitely isn’t resolved, crosseyedcoder do you have a patch for the Spectra files that stopped the massive INSERT query?