Conversation
supportI’m getting security notifications that the plugin “StaffList” has a security vulnerability. Description: The StaffList plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.References patchstack.com How can this be corrected? The page I need help with: [ log in to see the link]
We will use this forum post to notify you if we are presented with any legitimate claims about a vulnerability. In the meanwhile, StaffList is a plugin that helps site owners publish a full directory of their staff/faculty. Before using the plugin, we urge you to consider whether or not this information is too sensitive to be shared.
What would constitute a “legitimate claim”? Are you saying someone needs to be hacked before this is looked into more closely?
From Google: Be clear and concise: Explain the vulnerability, its potential impact, and how to reproduce it, but avoid revealing sensitive details at this stage. What to include in your report Detailed vulnerability description: Explain the issue clearly, its location, and how it can be exploited. Provide steps to reproduce the vulnerability, including screenshots, HTTP requests, or proof-of-concept code. Consider the impact of the vulnerability, referencing CVSS scores where applicable. Relevant details: List affected software and versions. Explain any special configurations needed to reproduce the issue. Suggest potential remediation actions. Include references or external resources for further reading
Why are you copying and pasting something you searched up on Google versus having your own company policies for this? You should look into why someone using your plugin would get such an alert. This is a very questionable response. It reeks of unaccountability. This reply was modified 9 months, 4 weeks ago by cashdro .
We will use this forum post to notify you if we are presented with any legitimate claims about a vulnerability. In the meanwhile, StaffList is a plugin that helps site owners publish a full directory of their staff/faculty. Before using the plugin, we urge you to consider whether or not this information is too sensitive to be shared.
What would constitute a “legitimate claim”? Are you saying someone needs to be hacked before this is looked into more closely?
From Google: Be clear and concise: Explain the vulnerability, its potential impact, and how to reproduce it, but avoid revealing sensitive details at this stage. What to include in your report Detailed vulnerability description: Explain the issue clearly, its location, and how it can be exploited. Provide steps to reproduce the vulnerability, including screenshots, HTTP requests, or proof-of-concept code. Consider the impact of the vulnerability, referencing CVSS scores where applicable. Relevant details: List affected software and versions. Explain any special configurations needed to reproduce the issue. Suggest potential remediation actions. Include references or external resources for further reading
Why are you copying and pasting something you searched up on Google versus having your own company policies for this? You should look into why someone using your plugin would get such an alert. This is a very questionable response. It reeks of unaccountability. This reply was modified 9 months, 4 weeks ago by cashdro .