Tagged: 

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #83687
    info223
    Participant

    Good day,
    <div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”>I wanted to reach out to you about a security vulnerability uncovered for the Store Locator Plus plugin:</div>
    <div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”></div>
    <div style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”></div>
    <div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”>This could allow a malicious actor to view sensitive information that is normally not available to regular users. This can be used to exploit other weaknesses in the system.</div>
    <div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”></div>
    <div dir=”ltr”>Currently, there is no official fix available.</div>
    <div dir=”ltr”></div>
    <div dir=”ltr”>Is this on your team’s radar? And do you have an expected timeline on when a patch will be released to resolve this></div>

    #83690
    Cici
    Keymaster

    This is not a vulnerability. The developer is aware of this as identified by the poster  ,

    when the  locations in your dataset is marked private  you can still find the url.

    We do not see this as sensitive or a vulnerability considering the type of use the plug-in is intended for.  Just delete any  locations you don’t want to be shown instead of marking them as private.

    Please list any other issues you have found or specific info  reported if it turns out that’s not the “sensitive data” they are referring to.

    The plug-in is not intend for sensitive data use. It is intended for the ability to find locations for your customers queries.

     

    #83691
    Cici
    Keymaster

    P.S. If you go to the  site reporting this you will see  this ”

    Solutions

    This security issue has a low severity impact and is unlikely to be exploited.

    #83951
    Jill
    Participant

    <p class=”MsoNormal”>I am currently running version <b>2311.17.01</b> of WordPress Store Locator Plus® plugin… I was thinking of upgrading to 2503.01.01 to potentially get rig of this vulnerability error.</p>
    <p class=”MsoNormal”>I have three questions:</p>
    <p class=”MsoNormal”>1) Will version 2503.01.01 get rid of the error?</p>
    <p class=”MsoNormal”>2) Should I update from <b>2311.17.01 to 2503.01.01</b> even if it does not get rid of the error</p>
    <p class=”MsoNormal”>3) If I want to upgrade, do I remove the old version of the plugin first, or just like other plugins, just install the new version over the old version? Anything else special I need to do to upgrade? (Aside from backing up first).</p>
    <p class=”MsoNormal”>Thanks,</p>
    <p class=”MsoNormal”>\Dave</p>

    #83956
    Cici
    Keymaster

    The “vulnerability” is a non issue . Because of the chaos surrounding the WP and WP engine we have not been able to get them to respond.

    We will be having another update before the end of this month if you want to wait.

    You would have to  download the plug-in and manually update , there is no auto updates of  SLP plug-in through WordPress.

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.