Bob

I just narrowed it down as well and came here to see if anyone else had posted. Thank you @mjkraus for sharing and helping others! I hope they fix it soon!

Bob

We are seeing the same issue. Hopefully @msykes sees these and includes a fix in the next version, as pagination is completely broken.

Those are very good points. Especially the premium add-ons that do not have the ability to get public scrutiny. Hopefully, the authors will apply this hard-earned knowledge to all of their programming.

While any vulnerability is not ideal, keep in mind this one requires “authenticated attackers, with administrator-level permissions”. If you are already an administrator, you can do pretty much anything you want. So if you are worried about your administrators, you have other problems. It certainly is not great, but it’s good to have a little perspective. I hope the authors patch and do additional review. This plugin where some issues are known and patched is better than another unknown one!

In the description it says “makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.” That is also what happens if you give someone an administrator-level account.

Finally, this only affects multi-site installations and installations where unfiltered_html has been disabled. That has to be a small number of total installations as a percentage.

Just trying to throw some perspective in here. Maybe I’m seeing it incorrectly but these “authenticated attackers, with administrator-level permissions” issues do not scare me as much as allowing people to be administrator-level to begin with.

@joemd we’ve seen some sites with this behavior but have not tracked down the ultimate reason yet. For us, load-styles.php was resulting in a 404 when running PHP 8.0 (but not 7.4 or 8.1). The page outputs a cache header so to see this issue consistently you need to hard refresh or use a disabled cache with the inspector open. Have not had time to do more debugging yet, but I will update here if I go back and figure it out.

I’m also receiving a few security vulnerability emails that seem wrong. The “Vulnerability Information” link 404s at cve.org and when I search for the CVE number it’s pretty old. Have received about a dozen from several sites so far including:

• The Plugin “TablePress” has a security
• The Plugin “Responsive Lightbox” has a security vulnerability.
• The Plugin “Ninja Forms – File Uploads” has a security vulnerability.
• The Plugin “WP Super Cache” has a security vulnerability.
• The Plugin “Admin Columns Pro” has a security vulnerability.

Sorry @vark, I missed your reply to us while I was digging around. Will message you!

Hi @vark,

I suspect this is related to your assumption in minimum-purchase-for-woocommerce/vt-minimum-purchase.php that you will only be called in the context of a populated $pageURL. When external tools execute your plugin that isn’t happening so admin/vtmin-rules-ui.php is never require_once()’d which means Class VTMIN_Rules_UI is never defined.

I agree with @webinaut that it would be easy for you to use ManageWP or InfiniteWP to reproduce this.

Bob

Haven’t had time to do any research but I did notice when the site is called with https://infinitewp.com/ the client throws this error so the dashboard can not get an update from the site. So that’s one way to reproduce it.

FWIW, we have a customer on 2.0.0 who is experiencing the same issue. I’m not sure how to reproduce it yet as we’re seeing it via the “Your Site is Experiencing a Technical Issue” emails from WordPress. Following this closely and will update you here if I can reproduce it.

WordPress version 6.0.2
Active theme: Beaver Builder Child Theme (version 1.0.0)
Current plugin: VarkTech Minimum Purchase for WooCommerce (version 2.0.0)
PHP version 7.4.30

Error Details
=============
An error of type E_ERROR was caused in line 289 of the file public_html/wp-content/plugins/minimum-purchase-for-woocommerce/vt-minimum-purchase.php. Error message: Uncaught Error: Class ‘VTMIN_Rules_UI’ not found in public_html/wp-content/plugins/minimum-purchase-for-woocommerce/vt-minimum-purchase.php:289
Stack trace:
#0 public_html/wp-includes/class-wp-hook.php(307): VTMIN_Controller->vtmin_admin_init(”)
#1 public_html/wp-includes/class-wp-hook.php(331): WP_Hook->apply_filters(NULL, Array)
#2 public_html/wp-includes/plugin.php(476): WP_Hook->do_action(Array)
#3 public_html/wp-content/plugins/iwp-client/core.class.php(249): do_action(‘admin_init’)
#4 public_html/wp-includes/class-wp-hook.php(307): IWP_MMB_Core->admin_wp_loaded_iwp(”)
#5 public_html/wp-includes/class-wp-hook.php(331): WP_Hook->apply_filters(NULL, Array)
#6 public_html/wp-includes/plugin.php(476): WP_Hook->do_action(Array)
#7 public_html/wp-settings.php(620): do_action(‘wp_loaded’)
#8 public_html/wp-config.php(82): require_once(‘…’)

I am using the latest version, 1.5.2. I see nothing on the plugin page and there’s nothing in SVN so this is the latest. You may have missed the part where I told you it was on the latest version already.

Hi Nico – I am still seeing it come out and get cached on sites with WP Rocket. Any chance you are aware of this and have a fix coming?

+1 for this.

I’m seeing it too since updating to php 7.4. Hopefully we’ll see a fix soon!

Bulk delete of hi-res originals is something we’d love in Imsanity. Following!

I am seeing this on a dozen sites so far and for the life of me I can’t figure out what’s wrong. Everything seems to be like it always has been and most pages validate fine. Following this post.

I noticed in Louno’s example above the item name failing is:
General Tso’s Chicken

and in one of my examples I have:
Owner’s Guides

Not all of mine have an encoded quotes, though. Just an observation.