Share:
Notifications
Clear all

[Solved] Recent vulnerabiliity  


gutterboy44
Posts: 5
(@gutterboy44)
Active Member
Joined: 4 days ago

I heard of the recent vulnerability which was patched in 7.0.5:

https://wpdiscuz.com/community/news/security-vulnerability-issue-please-update-to-wpdiscuz-7-0-5-and-higher/

However I have 5.3.6 installed as I don't wish to update to 7.x.x just yet and the ManageWP Security scanner is telling me about this vulnerability and is pointing to: https://wpvulndb.com/vulnerabilities/10333

 

Please advise.

 

Thanks!

Topic Tags
9 Replies
Tom
Posts: 387
 Tom
Support
(@tomson)
Support Team
Joined: 5 years ago

Hi @gutterboy44,

Let's not focus on old issues and go forward. Your security scanner informs you about old 7.0.0-7.0.4 versions, but it also says the problem was fixed in 7.0.5 version. That version and all current versions are 100% safe.

2020 08 01 0842

All recent versions are safe and you can update without any worry.

This kind of issues happen with all plugins that's way plugin developers actively improve and release new version. This is a regular flow of all plugin developments. There is no reason to worry if you’ve updated and up to date. Just keep updating your plugins and make sure you’re using the latest versions.

The vulnerability issue was fixed about a half month ago and all is safe now. You can go for 7.x.x update for sure. Just read this topic, and make sure you're ready for update: https://wordpress.org/support/topic/before-updating-to-wpdiscuz-7-version/

gutterboy44
Posts: 5
(@gutterboy44)
Active Member
Joined: 4 days ago

Old issues? It's not an old issue, I just got notified of it recently and as stated:

Added  2020-07-28 (4 days ago)

Yes I'm aware it was fixed in the 7.* branch, but what about the 5.* branch, just like you released a separate fix for this vulnerability?

As stated I don't wish to update to the 7.* branch at this time.

Thank You!

1 Reply
Eli
 Eli
(@eli)
Joined: 2 months ago

Eminent Member
Posts: 20

@gutterboy44 staying with old versions is not smart, however, it is my understanding the security issue was introduced with the release of the 7.XX.XX Branch. Previous versions were not affected by this particular issue I believe, but don't quote me on this.

gutterboy44
Posts: 5
(@gutterboy44)
Active Member
Joined: 4 days ago
Posted by: @eli

staying with old versions is not smart

Hi Eli, I understand this, however they are totally different versions/branches and it seems security fixes are still being applied to the 5.* branch (based on the aformentioned previous security issue) so there is no issues with staying with the 5.* branch at this time.

On top of this, updating to 7.* branch is not a simple update, especially when you have customisations - this is the reason we have not updated as yet.

1 Reply
Eli
 Eli
(@eli)
Joined: 2 months ago

Eminent Member
Posts: 20

@gutterboy44 you missed the point of my post, I just tried to tell you that the security issue you are referring to and are afraid of does not exist in versions before the 7.0 branch, your security software is sending you a generic message alerting you of the security issue in older versions of the plugin (the plugin doesn't know this particular issue doesn't exist in versions previous to 7.0).

And regarding customizations and work implicated, it is still not smart to stay with older versions regardless.

Greetings

gutterboy44
Posts: 5
(@gutterboy44)
Active Member
Joined: 4 days ago
Posted by: @eli

you missed the point of my post, I just tried to tell you that the security issue you are referring to and are afraid of does not exist in versions before the 7.0 branch

Yes I'm aware of that, thank you. I assumed this would be the case but wanted to confirm it to be safe.

Posted by: @eli

And regarding customizations and work implicated, it is still not smart to stay with older versions regardless.

It is completely safe as long as security patches are being applied to the 5.* branch as well; the ONLY reason you would have for upgrading is to get the latest version with upgrades, new functionality etc.... as long as the 5.* is actively being monitored there is no harm in staying with the 5.* branch.

Tom
Posts: 387
 Tom
Support
(@tomson)
Support Team
Joined: 5 years ago
Posted by: @gutterboy44

Old issues? It's not an old issue, I just got notified of it recently and as stated:

This was about half month ago. wpDiscuz 7.x.x version is installed on 50% of our users websites, it means about 40,000 websites. During last two weeks about 45,000 websites have updated to 7.0.5 and higher 7.0.6 versions so almost all sites are up to date and safe. Recent two versions are safe. So this risk is outdated, it's not actual and you can update to latest versions without any worry.

2 Replies
gutterboy44
(@gutterboy44)
Joined: 4 days ago

Active Member
Posts: 5

@tomson Thanks Tom. All I'm really trying to find out though is this vulnerability only relevant to the 7.* branch though? (I know it has been fixed).

In other words, this vulnerability doesn't affect the 5.* branch?

Tom
 Tom
Support
(@tomson)
Joined: 5 years ago

Support Team
Posts: 387

@gutterboy44,

That vulnerability issue was only in 7.0.0-7.0.4 versions, nowhere else.

  • If you use 7.x versions, you should use the latest version (7.0.5 and higher).
  • If you use 5.x versions, you should use the latest 5.x version 5.3.6.
Share: