nitstorm

DonnellC,

Thank you. A full disclosure will be published within a couple of days and I’ll be making a CVE request for the issue.

It would be your opinion that you feel it is a WordPress issue and not the plugin’s.

Please do release the fix at the soonest since you already have it. I don’t think you realise the severity of the vulnerability issue present in your plugin. If an update is not made soon, I will be forced to escalate the issue to the WordPress Plugins team.

Please also feel free to mail the WordPress Plugins team yourself to confirm if this is a real and valid security vulnerability or not.

Hi,

Could you please provide me with an e-mail ID that I can send my report to, (incase you missed the one sent earlier)?

Thanks & regards,
Nitin Venkatesh

Hi,

Any updates for the security fix? Please do write back since it has been more than a month since the report was mailed to you.

Thanks & regards,
Nitin Venkatesh

Hi,

Could you please update me on the situation regarding a solution to the issues reported?

Thanks & regards,
Nitin Venkatesh

Thank you Garrett for the update. As mentioned in the e-mail conversation, a disclosure with the Proof-of-Concept code will be published on Aug 9,2015 (45 days from the day of update release).

Thanks & regards,
Nitin Venkatesh

Hi,

I’m glad to hear that the issues have been fixed. I have contacted you by email. Hope you received it.

Thanks & regards,
Nitin Venkatesh

Hi Garrett,

Thank you. I have written to you at the specified contact form. Please do get back to me should you require any further information.

Thanks & regards,
Nitin

The point of a CSRF is hijacking an authenticated user’s session. So yes, the PoC will not work if the user is signed out.

And CSRF is indeed a security vulnerability. Infact, it’s among OWASP’s Top 10 – https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Thank you,

A disclosure regarding this issue will be published on August 4, 2015 (45 days from patch) and I will try to get a CVE assigned to the issue.

I’m very sorry to hear that. And no, I’m not happy. I have no reason to be. I was forced to escalate the situation to the WordPress team since I hadn’t heard from you in a long time or received an acknowledgement. The timeline was as follows:
2015-06-06 – Mailed developer
2015-06-11 – Contacted developer on the forums.
2015-06-19 – Mailed WordPress team.

That said, there are a lot of other online marketplaces for WordPress Plugins and Themes including Envato – https://market.envato.com/ . You could also host your svn tree at GitHub/BitBucket.

Once again, I’m sorry to hear about your plugin.

Hi,

I agree with you that it is the responsibility of the person installing a plugin to use only reliable feeds. I’ve replied to your comment via an e-mail since it deals with the specifics of the report. Please do read it and you’ll see that it is indeed a legitimate vulnerability.

Hi,

Still waiting for an update on the fix. Please do respond soon as the vulnerability details are public as per your previous request.

Hi Garrett,

Thank you for publishing the fix. Since the issue was made public a while back, I’d like to publish a disclosure report on the Full Disclosure mailing list and then request for a CVE in the oss-sec mailing list. I hope this is okay with you.

Nitin

Hi Plugin Authors,

Could you please acknowledge this thread and is there an email ID I can send the report to?

Nitin