False positive security error | WordPress.org

Resolved EricJohnsonGuru
(@wormeyman)

3 months, 3 weeks ago

Wordfence, Jetpack Protect, and others are not sure if the plugin is secure because it has never been reported that the vulnerability was fixed. Can you please contact them and close the CVE?

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/mediavine-create/create-by-mediavine-1915-unauthenticated-insecure-direct-object-reference

https://wpscan.com/vulnerability/612d1bdd-0c98-4e09-9cd0-bbc18681c086/

Viewing 3 replies - 1 through 3 (of 3 total)

JM
(@jmlallier)

3 months, 3 weeks ago

Hi @wormeyman,

Thank you for reaching out. I have tried reaching out to Patchstack (the source of the report) many times since they first brought it up to me in August. Unfortunately, they are not responding and have not removed the report.

I have just reached out again and asked for some assistance from others in trying to get a response, and hopefully we can get this resolved.

For what it’s worth, the “vulnerability” they reported is not a threat and is an intentionally unauthenticated endpoint, similar to the built-in /wp-json/wp/v2/posts/{id} endpoint.

Thank you!

JM
(@jmlallier)

3 months, 2 weeks ago

Hi @wormeyman!

I finally heard back from Patchstack and they have rejected the CVE (https://www.cve.org/CVERecord?id=CVE-2025-62893).

I’ve now reached out to WordFence, WPScan, and Jetpack Protect to ask them to update their notices.

If this resolves your issue, would you kindly mark this thread as resolved?

Thanks again!
JM

Thread Starter EricJohnsonGuru
(@wormeyman)

3 months, 2 weeks ago

Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

4 replies
2 participants
Last reply from: EricJohnsonGuru
Last activity: 3 months, 2 weeks ago
Status: resolved