• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Vulnerabilities that does not exist

Redsector

New Pleskian
Server operating system version
Ubuntu 20.04.6
Plesk version and microupdate number
18.0.51
Hello there,
I suppose something is stuck either on my side or in the tool.
I have updated to WP 6.2 and the toolkit still report there is an issue "WordPress <= 6.1.1 - Unauth. Blind SSRF vulnerability", but 6.2 is clearly > 6.1.1

Plus I have installed "UpdraftPlus - Backup/Restore 1.23.3" and wp toolkit report to me there is a vulnerability on "WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2" which I don't have. To be clear, the version 2.x is the pro paid version, the 1.xx is the free one. They are different stuff, and to be even more clear, according to the developer, the bug is fixed also in version 1.23.3. I Suggest you to either recognize 1.X and 2.X or to simply discard the first digit.

I hope this help removing this red ! that cannot alert me if new things are to be considered
Thanks
 
Hello,
I thought version WP6.2 was going to fix that.
I checked these options (xmlrpc and pinkback) for several years.
For the UpdraftPlus extension, there is indeed an issue with WP Toolkit not seeing the correct version installed.
Thanks,
 
Sorry after reading again, I am not sure any more. They say: "as they need more time to work on backports." What I read was: The Wordpress Maintainers think the bug is fixed in Wordpress 6 but had to fix Wordpress 5, too.
I can't find an official statement from Wordpress or an independent proof the bug still exists.
 
I can't find an official statement from Wordpress or an independent proof the bug still exists.

So... proof that it's been fixed?

This is a WordPress issue at the end of the day. Why make this a Plesk issue?
 
Now I fond something. The Wordpress Dev says yeah the bug exists but simply use a trusted DNS, send some good hopes with your prayers and maybe nobody will be affected.
(Following this logic, no Wordpress page should use HTTPS as Wordpress' security relys on the network. Any DNS should be trusted to work as SSL Cert Autority)

OK then Plesk's mentioning of the security issue is correct. The message "WordPress <= 6.2" is at least misleading as 6.2.2 is affected too. The link to Patchstack is not the best choice, there are confirmations from the Wordpress team itself.
 
Hello,
For the UpdraftPlus Plesk and WP Tolkit say :
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
WP Toolkit not seeing the correct version installed.
Thanks,
 
Hello,
For the UpdraftPlus Plesk and WP Tolkit say :
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
WP Toolkit not seeing the correct version installed.
Thanks,

 
WordPress UpdraftPlus PRO plugin 2.22.14-2.23.2 - Broken Access Control Vulnerability
But i have "UpdraftPlus - Backup/Restore 1.23.4".
Exactly the same bug here.

Lol no. We disclosed several bugs here the last days and only got shady excuses.
 
Lol no. We disclosed several bugs here the last days and only got shady excuses.
Please provide a list of these bugs you disclosed and the shady excuses you got. As far as I remember you were simply wrong with your assumptions, but maybe I have missed something.

The "Updraft" issue was first reported in April and has already been fixed. It should not occur in WP Toolkit version 6.3.0-7223 or newer. Which WP Toolkit version are you using? Updates for the WP Toolkit extension are rolled out gradually, so it is possible that your installation does not have it yet. Same principle as explained before regarding Wordpress updates.
 
I really like the quality and service of Plesk. They focus on useful tools. There are no functions just to be cool or just to have a buzzword in advertisement. The quality is fine so far. But telling it is on purpose to install an update a day later then everyone else really annoys me. It looks like a bug and bugs might happen, that's allright if you stand by it. Just please don't deny an issue if you see it by reflex.
After knowing this list of security issues might have some problems with Wordpress bugs, version numbers, Plugin bugs and Plugin names, I will take it with a grain of salt in the future, and this is fine for me. But calling those issues "resolved" doesn't make them disappear.
 
The nightly maintenance concept is by design. Gradual roll-outs are also by design and serve several important purposes such as not overloading source servers. There are no plans to change either.

If the current Wordpress maintenance is not fast enough for your business case you can always and very easily update Wordpress from the Wordpress Dashboard.
 
Back
Top