Erik Geurts

This matter has been known to you and everybody else for over a month now, so “actively working on it” is a gotspe. The fix you’re referring to should have been released before the vulnerability was disclosed.

Also, it seems you have marked this topic as “resolved”, which is absolutely incorrect.

No VPN for me.

I registered there but I still open the page to cast my vote, even when logged in I get a 403 error message.

I can’t see that page, nor log in, because I don’t have a username (because I never purchased anything, this is a free plugin after all).

Thanks for taking care of this, I can confirm it displays as before again, nice!

Your plugin currently has 3 unpatched vulnerabilities, and this has been ongoing for more than 2 weeks. This needs to be fixed ASAP.

You have the questionable honor of being listed with 2 more unpatched vulnerabilities in the next report from SolidWP.com yesterday. Apologizing is not enough, and this is not just an “inconvenience”. It sounds to me like you simply have no idea how to handle this. The patch should have been released at the same time that the CVE was assigned. This is – frankly – extremely concerning and you need to step up your game hugely to fix this enormous blow to your reputation as a developer.

I’m rather concerned about the fact that you never bothered to reply to this question. Are you even serious about software security?

I just noticed how well this looks in the admin bar on a mobile device, great!

I’ve started translating the plugin into my language, Dutch. Half-way done, I’ll do the rest in the next few days.

That’s great, thanks for the quick turn-around on this!

Thanks, that helped a lot!

Thanks for the quick feedback. How do I allow access to that one file while still blocking access to everything else in wp-admin? I realize this is not a product specific question, more an Apache question…

There have been a few changes to the class-wp-filesystem-ftpext.php file in the months leading up to the WordPress 5.3 release, notably removing the @ sign in front of several function calls.

The @ sign in PHP suppresses warnings and errors, so without these these warnings are now visible, but the problem(s) have been there for longer than just the 5.3 release.

There are other warnings (they are not errors, for the record), on other lines of the same file as well.

Here is a link to the commit that is responsible for these code changes: https://github.com/WordPress/WordPress/commit/abcbee954f4d8baa5aff2df566a942c1b48ca2d7#diff-36cca02cf5f85f908bec71f2eaf97585

As far as I can tell, the cause of the warnings is that the ‘$this->link’ never gets assigned a value and this triggers warnings when being used in function calls.

• This reply was modified 5 years, 4 months ago by Erik Geurts. Reason: changed 'weeks' to 'months'