Home › Forums › Bug Reports and Feature Requests › WordPress Plugin 4.5.2 data Vulnerability Issue
Tagged: bug wordpress
- This topic has 12 replies, 5 voices, and was last updated 11 months, 1 week ago by Alexander Kovelenov.
-
AuthorPosts
-
2024-01-04 at 1:00 pm #69489PLAN8Customer
Hi,
I have just become aware of a potential severe vulnerability issue with the Verge3D WordPress plugin V 4.5.2 – The details can be read here …
“The Verge3D Publishing and E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘v3d_upload_app_file’ function in all versions up to, and including, 4.5.2. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.”
Thanks.
- This topic was modified 11 months, 2 weeks ago by PLAN8. Reason: link not visible
2024-01-04 at 1:14 pm #69491PLAN8CustomerThis flags up my previous repeated requests for the V3D export locally option to ONLY export the essential required HTML app files and none of the V3D, Blender and other unused files –
As a non-coder, the export locally option is very un “Artist Friendly”, as there is no clear explanation as to which files are required for the HTML app only – it is not an easy task at all to go through the exported files and try and work out what are the actual HTML app files, and what are the puzzle files and blender files etc –
PLEASE can you make the export locally option respect the option that is made checkable in the app manager “general settings”? I really don’t understand why this hasn’t been done – it makes no sense at all, and now with this vulnerability issue, it would help resolve this if the upload app manager in WordPress was only uploading a known set of file types because the exported app locally only contains the required files for a website. If that makes sense?
Attachments:
You must be logged in to view attached files.2024-01-04 at 1:19 pm #69493PLAN8CustomerMy non coder suggestion for an immediate fix to the vulnerability issue is that perhaps the wordpress app will only accept the required files for now, if the user wants to upload any extra file types, then perhaps the app could have a text entry box where the user can specify allowed file types to be uploaded above the basic required types.
Looking ahead, being able to export ONLY the HTML app files from the app manager (or to make a clear folder distinction between front end and back end files (IE the V3D app is stored in a totally separate folder from the working files)) is essential IMHO
2024-01-04 at 4:21 pm #69495xeonCustomerThank you for bringing this up to all users that use this plug-in are now aware.
Verge3d adoption has its challenges due to the economic political landscape we don’t need any other reasons for clients to think negatively.
I hope this gets resolved quickly.
Xeon
Route 66 Digital
Interactive Solutions - https://www.r66d.com
Tutorials - https://www.xeons3dlab.com2024-01-05 at 2:04 am #69497kdvParticipantDisable REST API for this add-on, upload Verge3D apps via FTP.
Puzzles and JS coding. Fast and expensive.
If you don’t see the meaning in something it primarily means that you just don’t see it but not the absence of the meaning at all.
2024-01-05 at 5:37 am #69498Yuri KovelenovStaff2024-01-05 at 12:51 pm #69500PLAN8CustomerThanks Yuri
2024-01-05 at 12:51 pm #69501PLAN8Customer2024-01-08 at 11:13 am #69535Alexander KovelenovStaffHi,
We did some investigation and have some updates.
This looks scary on the first site, but in reality only privileged users can exploit this vulnerability (such as admins and sales staff).
I guess the guys who opened this issue just used some tool to scan the plugin code and posted the results.
Anyway, we are working to get rid of this issue altogether!
2024-01-08 at 11:25 am #69536PLAN8CustomerHi,
We did some investigation and have some updates.
This looks scary on the first site, but in reality only privileged users can exploit this vulnerability (such as admins and sales staff).
I guess the guys who opened this issue just used some tool to scan the plugin code and posted the results.
Anyway, we are working to get rid of this issue altogether!
Hi Alexander, Thanks for the update. Yes, that’s actually how I interpreted the threat as well, and for me, as a sole admin, that wouldn’t really be a problem, but I guess for sites with multiple users, this could be alarming.
However, as per my follow up messages after the OP, I still do think this highlights the absolutely essential requirement for V3D app manager to have the ability to locally export a “clean” set of application only required files (without any non application specific files), so that the average user like myself can feel confident they are only uploading the required web app files and nothing else – this really is a super critical change as far as I am concerned.
Thanks for updating!
- This reply was modified 11 months, 2 weeks ago by PLAN8.
2024-01-09 at 6:36 am #69550Alexander KovelenovStaffHowever, as per my follow up messages after the OP, I still do think this highlights the absolutely essential requirement for V3D app manager to have the ability to locally export a “clean” set of application only required files (without any non application specific files)
We’ll definitely look at this also!
2024-01-09 at 10:57 am #69564PLAN8CustomerHowever, as per my follow up messages after the OP, I still do think this highlights the absolutely essential requirement for V3D app manager to have the ability to locally export a “clean” set of application only required files (without any non application specific files)
We’ll definitely look at this also!
2024-01-10 at 6:39 am #69578Alexander KovelenovStaff -
AuthorPosts
- You must be logged in to reply to this topic.