- This topic has 4 replies, 3 voices, and was last updated 1 week, 4 days ago by .
-
Posts
-
Good day,
<div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”>I wanted to reach out to you about a security vulnerability uncovered for the Store Locator Plus plugin:</div>
<div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”></div>
<div style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”></div>
<div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”>This could allow a malicious actor to view sensitive information that is normally not available to regular users. This can be used to exploit other weaknesses in the system.</div>
<div dir=”ltr” style=”box-sizing: border-box; word-break: break-word; overflow-wrap: break-word;”></div>
<div dir=”ltr”>Currently, there is no official fix available.</div>
<div dir=”ltr”></div>
<div dir=”ltr”>Is this on your team’s radar? And do you have an expected timeline on when a patch will be released to resolve this></div>This is not a vulnerability. The developer is aware of this as identified by the poster ,
when the locations in your dataset is marked private you can still find the url.
We do not see this as sensitive or a vulnerability considering the type of use the plug-in is intended for. Just delete any locations you don’t want to be shown instead of marking them as private.
Please list any other issues you have found or specific info reported if it turns out that’s not the “sensitive data” they are referring to.
The plug-in is not intend for sensitive data use. It is intended for the ability to find locations for your customers queries.
P.S. If you go to the site reporting this you will see this ”
Solutions
This security issue has a low severity impact and is unlikely to be exploited.
<p class=”MsoNormal”>I am currently running version <b>2311.17.01</b> of WordPress Store Locator Plus® plugin… I was thinking of upgrading to 2503.01.01 to potentially get rig of this vulnerability error.</p>
<p class=”MsoNormal”>I have three questions:</p>
<p class=”MsoNormal”>1) Will version 2503.01.01 get rid of the error?</p>
<p class=”MsoNormal”>2) Should I update from <b>2311.17.01 to 2503.01.01</b> even if it does not get rid of the error</p>
<p class=”MsoNormal”>3) If I want to upgrade, do I remove the old version of the plugin first, or just like other plugins, just install the new version over the old version? Anything else special I need to do to upgrade? (Aside from backing up first).</p>
<p class=”MsoNormal”>Thanks,</p>
<p class=”MsoNormal”>\Dave</p>The “vulnerability” is a non issue . Because of the chaos surrounding the WP and WP engine we have not been able to get them to respond.
We will be having another update before the end of this month if you want to wait.
You would have to download the plug-in and manually update , there is no auto updates of SLP plug-in through WordPress.
- You must be logged in to reply to this topic.