Plugin Author
YARPP
(@jeffparker)
Hi @kkow We’re looking into the issue. Thank you for your patience.
@jeffparker Please, kindly update your plugin vulnerability issue as soon as possible. Thanks
Plugin Author
YARPP
(@jeffparker)
We have reached out to Patchstack, who has published this, for more information. We don’t seem to have any record of being notified by them. We have since reached out to them and are awaiting details on how to replicate the bug. It should be resolved shortly after we get the necessary information from them.
As noted by Patchstack (the one that found the bug and published the report), this issue has βa low severity impact and is unlikely to be exploited.β …as per https://patchstack.com/database/vulnerability/yet-another-related-posts-plugin/wordpress-yet-another-related-posts-plugin-yarpp-plugin-5-30-10-broken-access-control-vulnerability
Again, thank you for your patience.
Plugin Author
YARPP
(@jeffparker)
Hi @trible We’re on it. Hope to hear back from Patchstack soon.
Hi all, Really Simple Security is listing this vulnerability this way:
————
Access violation vulnerability in YARPP β Yet Another Related Posts Plugin 5.30.10
- Severity: medium-risk
- Status: Open
- Publication: August 26, 2024
The YARPP plugin for WordPress has a security issue that allows unauthorized access. This means that anyone can perform actions without being properly authenticated.
Plugin Author
YARPP
(@jeffparker)
We’re yet to hear back from Patchstack. Followed up with them again today.
@pjvermij it seems overstated. Patchstack is the one that reported the bug. They themselves have assessed it as “a low severity impact and is unlikely to be exploited.” (published on their site) Given we’ve not been told as yet what the actual issue is, we’ll concur until we find out more!
Plugin Author
YARPP
(@jeffparker)
Update: We’ve heard back. There is zero risk as the “bug” is in a section of code that isn’t even referenced anymore (dead code). Will address.
@jeffparker
Are you planning a release to remove this dead code?
This would allow security tools to consider that the flaw is no longer present, even if it doesn’t actually exist.
Thanks
@jeffparker: That really would be great, since I love the plugin π
@jeffparker: Please add my name to the list of those who are eager to see the “dead code” removed from the plugin.
Plugin Author
YARPP
(@jeffparker)
Patch coming later today.
Plugin Author
YARPP
(@jeffparker)
New version with patch is live! Please update to version 5.30.11 or newer.
https://wordpress.org/plugins/yet-another-related-posts-plugin/#developers
We have notified Patchstack (reporter of bug). They should mark this as resolved soon, which then should make its way to Wordfence and others.
Thank you so much for your patience through this. Please update ASAP.
