• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Vulnerabilities that does not exist

R

Redsector

New Pleskian
Server operating system version
Ubuntu 20.04.6
Plesk version and microupdate number
18.0.51
Hello there,
I suppose something is stuck either on my side or in the tool.
I have updated to WP 6.2 and the toolkit still report there is an issue "WordPress <= 6.1.1 - Unauth. Blind SSRF vulnerability", but 6.2 is clearly > 6.1.1

Plus I have installed "UpdraftPlus - Backup/Restore 1.23.3" and wp toolkit report to me there is a vulnerability on "WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2" which I don't have. To be clear, the version 2.x is the pro paid version, the 1.xx is the free one. They are different stuff, and to be even more clear, according to the developer, the bug is fixed also in version 1.23.3. I Suggest you to either recognize 1.X and 2.X or to simply discard the first digit.

I hope this help removing this red ! that cannot alert me if new things are to be considered
Thanks
 
Hello,
I thought version WP6.2 was going to fix that.
I checked these options (xmlrpc and pinkback) for several years.
For the UpdraftPlus extension, there is indeed an issue with WP Toolkit not seeing the correct version installed.
Thanks,
 
Sorry after reading again, I am not sure any more. They say: "as they need more time to work on backports." What I read was: The Wordpress Maintainers think the bug is fixed in Wordpress 6 but had to fix Wordpress 5, too.
I can't find an official statement from Wordpress or an independent proof the bug still exists.
 
Netaction said:
I can't find an official statement from Wordpress or an independent proof the bug still exists.
Click to expand...

So... proof that it's been fixed?

This is a WordPress issue at the end of the day. Why make this a Plesk issue?
 

#57363 (WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding) – WordPress Trac

core.trac.wordpress.org core.trac.wordpress.org
Now I fond something. The Wordpress Dev says yeah the bug exists but simply use a trusted DNS, send some good hopes with your prayers and maybe nobody will be affected.
(Following this logic, no Wordpress page should use HTTPS as Wordpress' security relys on the network. Any DNS should be trusted to work as SSL Cert Autority)

OK then Plesk's mentioning of the security issue is correct. The message "WordPress <= 6.2" is at least misleading as 6.2.2 is affected too. The link to Patchstack is not the best choice, there are confirmations from the Wordpress team itself.
 
Hello,
For the UpdraftPlus Plesk and WP Tolkit say :
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
WP Toolkit not seeing the correct version installed.
Thanks,
 
olivier09 said:
Hello,
For the UpdraftPlus Plesk and WP Tolkit say :
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
WP Toolkit not seeing the correct version installed.
Thanks,
Click to expand...

Important - PLEASE FOLLOW THIS INSTRUCTION IF YOU BELIEVE THAT FOUND A BUG!

Dear Pleskians, Please, click Submit Report button and use the template in this special forum subsection if you really believe you discovered a new bug and need to report it to the Plesk developers. It does allow us to handle and resolve your requests much more efficiently. Please be careful...
talk.plesk.com talk.plesk.com
 
olivier09 said:
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
Click to expand...
Exactly the same bug here.

Maarten. said:

Important - PLEASE FOLLOW THIS INSTRUCTION IF YOU BELIEVE THAT FOUND A BUG!

Dear Pleskians, Please, click Submit Report button and use the template in this special forum subsection if you really believe you discovered a new bug and need to report it to the Plesk developers. It does allow us to handle and resolve your requests much more efficiently. Please be careful...
talk.plesk.com talk.plesk.com
Click to expand...
Lol no. We disclosed several bugs here the last days and only got shady excuses.
 
Netaction said:
Lol no. We disclosed several bugs here the last days and only got shady excuses.
Click to expand...
Please provide a list of these bugs you disclosed and the shady excuses you got. As far as I remember you were simply wrong with your assumptions, but maybe I have missed something.

The "Updraft" issue was first reported in April and has already been fixed. It should not occur in WP Toolkit version 6.3.0-7223 or newer. Which WP Toolkit version are you using? Updates for the WP Toolkit extension are rolled out gradually, so it is possible that your installation does not have it yet. Same principle as explained before regarding Wordpress updates.
 
I really like the quality and service of Plesk. They focus on useful tools. There are no functions just to be cool or just to have a buzzword in advertisement. The quality is fine so far. But telling it is on purpose to install an update a day later then everyone else really annoys me. It looks like a bug and bugs might happen, that's allright if you stand by it. Just please don't deny an issue if you see it by reflex.
After knowing this list of security issues might have some problems with Wordpress bugs, version numbers, Plugin bugs and Plugin names, I will take it with a grain of salt in the future, and this is fine for me. But calling those issues "resolved" doesn't make them disappear.
 
The nightly maintenance concept is by design. Gradual roll-outs are also by design and serve several important purposes such as not overloading source servers. There are no plans to change either.

If the current Wordpress maintenance is not fast enough for your business case you can always and very easily update Wordpress from the Wordpress Dashboard.
 
You must log in or register to reply here.

Similar threads

N
Issue WordPress Toolkit reporting old vulnerabilities
Replies
1
Views
1K
custer
custer
P
Resolved WP Toolkit vulnerability alert might be a false positive? [Unauthenticated Blind SSRF]
Replies
5
Views
4K
Wiz
Wiz
D
Resolved problem with alert about a vulnerability in a plugin that's already fixed
Replies
1
Views
1K
Daniel-spain
D
N
Resolved Update data wrong and late
Replies
3
Views
1K
Netaction
N
Bitpalast
Forwarded to devs WP Toolkit error: Database credentials not working on installation dialog when the database does not yet exist
Replies
6
Views
2K
Bitpalast
Bitpalast
Back
Top