• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Vulnerabilities that does not exist

R

Redsector

New Pleskian
Server operating system version
Ubuntu 20.04.6
Plesk version and microupdate number
18.0.51
Hello there,
I suppose something is stuck either on my side or in the tool.
I have updated to WP 6.2 and the toolkit still report there is an issue "WordPress <= 6.1.1 - Unauth. Blind SSRF vulnerability", but 6.2 is clearly > 6.1.1

Plus I have installed "UpdraftPlus - Backup/Restore 1.23.3" and wp toolkit report to me there is a vulnerability on "WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2" which I don't have. To be clear, the version 2.x is the pro paid version, the 1.xx is the free one. They are different stuff, and to be even more clear, according to the developer, the bug is fixed also in version 1.23.3. I Suggest you to either recognize 1.X and 2.X or to simply discard the first digit.

I hope this help removing this red ! that cannot alert me if new things are to be considered
Thanks
 
Hello,
I thought version WP6.2 was going to fix that.
I checked these options (xmlrpc and pinkback) for several years.
For the UpdraftPlus extension, there is indeed an issue with WP Toolkit not seeing the correct version installed.
Thanks,
 
Sorry after reading again, I am not sure any more. They say: "as they need more time to work on backports." What I read was: The Wordpress Maintainers think the bug is fixed in Wordpress 6 but had to fix Wordpress 5, too.
I can't find an official statement from Wordpress or an independent proof the bug still exists.
 
Netaction said:
I can't find an official statement from Wordpress or an independent proof the bug still exists.
Click to expand...

So... proof that it's been fixed?

This is a WordPress issue at the end of the day. Why make this a Plesk issue?
 

#57363 (WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding) – WordPress Trac

core.trac.wordpress.org core.trac.wordpress.org
Now I fond something. The Wordpress Dev says yeah the bug exists but simply use a trusted DNS, send some good hopes with your prayers and maybe nobody will be affected.
(Following this logic, no Wordpress page should use HTTPS as Wordpress' security relys on the network. Any DNS should be trusted to work as SSL Cert Autority)

OK then Plesk's mentioning of the security issue is correct. The message "WordPress <= 6.2" is at least misleading as 6.2.2 is affected too. The link to Patchstack is not the best choice, there are confirmations from the Wordpress team itself.
 
Hello,
For the UpdraftPlus Plesk and WP Tolkit say :
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
WP Toolkit not seeing the correct version installed.
Thanks,
 
olivier09 said:
Hello,
For the UpdraftPlus Plesk and WP Tolkit say :
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
WP Toolkit not seeing the correct version installed.
Thanks,
Click to expand...

Important - PLEASE FOLLOW THIS INSTRUCTION IF YOU BELIEVE THAT FOUND A BUG!

Dear Pleskians, Please, click Submit Report button and use the template in this special forum subsection if you really believe you discovered a new bug and need to report it to the Plesk developers. It does allow us to handle and resolve your requests much more efficiently. Please be careful...
talk.plesk.com talk.plesk.com
 
olivier09 said:
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
Click to expand...
Exactly the same bug here.

Maarten. said:

Important - PLEASE FOLLOW THIS INSTRUCTION IF YOU BELIEVE THAT FOUND A BUG!

Dear Pleskians, Please, click Submit Report button and use the template in this special forum subsection if you really believe you discovered a new bug and need to report it to the Plesk developers. It does allow us to handle and resolve your requests much more efficiently. Please be careful...
talk.plesk.com talk.plesk.com
Click to expand...
Lol no. We disclosed several bugs here the last days and only got shady excuses.
 
Netaction said:
Lol no. We disclosed several bugs here the last days and only got shady excuses.
Click to expand...
Please provide a list of these bugs you disclosed and the shady excuses you got. As far as I remember you were simply wrong with your assumptions, but maybe I have missed something.

The "Updraft" issue was first reported in April and has already been fixed. It should not occur in WP Toolkit version 6.3.0-7223 or newer. Which WP Toolkit version are you using? Updates for the WP Toolkit extension are rolled out gradually, so it is possible that your installation does not have it yet. Same principle as explained before regarding Wordpress updates.
 
I really like the quality and service of Plesk. They focus on useful tools. There are no functions just to be cool or just to have a buzzword in advertisement. The quality is fine so far. But telling it is on purpose to install an update a day later then everyone else really annoys me. It looks like a bug and bugs might happen, that's allright if you stand by it. Just please don't deny an issue if you see it by reflex.
After knowing this list of security issues might have some problems with Wordpress bugs, version numbers, Plugin bugs and Plugin names, I will take it with a grain of salt in the future, and this is fine for me. But calling those issues "resolved" doesn't make them disappear.
 
The nightly maintenance concept is by design. Gradual roll-outs are also by design and serve several important purposes such as not overloading source servers. There are no plans to change either.

If the current Wordpress maintenance is not fast enough for your business case you can always and very easily update Wordpress from the Wordpress Dashboard.
 
You must log in or register to reply here.

Similar threads

T
Issue WP Toolkit incorrect vulnerability and version reports
Replies
4
Views
811
TurnRound
T
L
Resolved Vulnerability icon
Replies
6
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
N
Issue WordPress Toolkit reporting old vulnerabilities
Replies
1
Views
1K
custer
custer
S
I can't install Wordpress with Wp Toolkit
Replies
1
Views
780
vbelozerov
V
C
Issue annoying WP Toolkit Site vulnerabilities found message WordPress Core All Versions - Unauthenticated Blind Server-Side Request Forgery vulnerability
Replies
0
Views
2K
cyberjam
C
Back
Top