• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue WordPress Toolkit vulnerability report unclear

V

Visnet

Basic Pleskian
Dear Plesk team and Pleskians,

For one staging website on my Plesk server (Plesk Obsidian) I am getting the following two reports from the WordPress Toolkit extension:
website URL filteredWordPress License Manager for WooCommerce plugin <= 2.2.5 - Sensitive Information Disclosure vulnerability
website URL filteredWordPress License Manager for WooCommerce plugin <= 2.2.5 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

However, it is unclear:
  • What the nature of this vulnerability is, how to find more information about it and how to pinpoint the issue in the plugin code
  • How to solve this or what to report to the plugin developer (for instance, this plugin does not have any new versions available yet)
Without this information reports like these are more confusing than helpful.

Am I missing something?
Or could this be improved to be more helpful to a server administrator?

Cheers!
 
To add to my initial report:

Using Plesk 18.0.41.1 with WordPress Toolkit extension 5.9.3-6032

I just found out that when using the WordPress Toolkit through the Plesk panel, under Security > Vulnerabilities (filter) the same notices actually provide a 'Details' button that is linking to:
- WordPress License Manager for WooCommerce plugin <= 2.2.5 - Sensitive Information Disclosure vulnerability - Patchstack
- WordPress License Manager for WooCommerce plugin <= 2.2.5 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Suggestion:
Either include these same links in the report e-mail or explain how/where to find them in the Plesk panel.
 
Thank you for your feedback! We have filed a task to improve our email notifications based on your feedback. Let us know if you have any other feedback.
 
You must log in or register to reply here.

Similar threads

T
Issue WP Toolkit incorrect vulnerability and version reports
Replies
4
Views
686
TurnRound
T
T
Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again
Replies
5
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
T
WordPress NextGEN Gallery Plugin <= 0.96 - XSS Vulnerability
Replies
0
Views
863
Tinpeas
T
D
Resolved problem with alert about a vulnerability in a plugin that's already fixed
Replies
1
Views
1K
Daniel-spain
D
C
Can I stop Plesk creating tickets to Cloudlinux
Replies
11
Views
2K
Change Maker
C
Back
Top