I heard of the recent vulnerability which was patched in 7.0.5:
However I have 5.3.6 installed as I don't wish to update to 7.x.x just yet and the ManageWP Security scanner is telling me about this vulnerability and is pointing to: https://wpvulndb.com/vulnerabilities/10333
Please advise.
Thanks!
Hi @gutterboy44,
Let's not focus on old issues and go forward. Your security scanner informs you about old 7.0.0-7.0.4 versions, but it also says the problem was fixed in 7.0.5 version. That version and all current versions are 100% safe.
All recent versions are safe and you can update without any worry.
This kind of issues happen with all plugins that's way plugin developers actively improve and release new version. This is a regular flow of all plugin developments. There is no reason to worry if you’ve updated and up to date. Just keep updating your plugins and make sure you’re using the latest versions.
The vulnerability issue was fixed about a half month ago and all is safe now. You can go for 7.x.x update for sure. Just read this topic, and make sure you're ready for update: https://wordpress.org/support/topic/before-updating-to-wpdiscuz-7-version/
Old issues? It's not an old issue, I just got notified of it recently and as stated:
Added 2020-07-28 (4 days ago)
Yes I'm aware it was fixed in the 7.* branch, but what about the 5.* branch, just like you released a separate fix for this vulnerability?
As stated I don't wish to update to the 7.* branch at this time.
Thank You!
@gutterboy44 staying with old versions is not smart, however, it is my understanding the security issue was introduced with the release of the 7.XX.XX Branch. Previous versions were not affected by this particular issue I believe, but don't quote me on this.
staying with old versions is not smart
Hi Eli, I understand this, however they are totally different versions/branches and it seems security fixes are still being applied to the 5.* branch (based on the aformentioned previous security issue) so there is no issues with staying with the 5.* branch at this time.
On top of this, updating to 7.* branch is not a simple update, especially when you have customisations - this is the reason we have not updated as yet.
@gutterboy44 you missed the point of my post, I just tried to tell you that the security issue you are referring to and are afraid of does not exist in versions before the 7.0 branch, your security software is sending you a generic message alerting you of the security issue in older versions of the plugin (the plugin doesn't know this particular issue doesn't exist in versions previous to 7.0).
And regarding customizations and work implicated, it is still not smart to stay with older versions regardless.
Greetings
you missed the point of my post, I just tried to tell you that the security issue you are referring to and are afraid of does not exist in versions before the 7.0 branch
Yes I'm aware of that, thank you. I assumed this would be the case but wanted to confirm it to be safe.
And regarding customizations and work implicated, it is still not smart to stay with older versions regardless.
It is completely safe as long as security patches are being applied to the 5.* branch as well; the ONLY reason you would have for upgrading is to get the latest version with upgrades, new functionality etc.... as long as the 5.* is actively being monitored there is no harm in staying with the 5.* branch.
Old issues? It's not an old issue, I just got notified of it recently and as stated:
This was about half month ago. wpDiscuz 7.x.x version is installed on 50% of our users websites, it means about 40,000 websites. During last two weeks about 45,000 websites have updated to 7.0.5 and higher 7.0.6 versions so almost all sites are up to date and safe. Recent two versions are safe. So this risk is outdated, it's not actual and you can update to latest versions without any worry.
@tomson Thanks Tom. All I'm really trying to find out though is this vulnerability only relevant to the 7.* branch though? (I know it has been fixed).
In other words, this vulnerability doesn't affect the 5.* branch?
That vulnerability issue was only in 7.0.0-7.0.4 versions, nowhere else.
- If you use 7.x versions, you should use the latest version (7.0.5 and higher).
- If you use 5.x versions, you should use the latest 5.x version 5.3.6.
