Security Alert: Plugin Vulnerability Notification - Advanced Custom Fields8343
Pages:
1
 FounderNail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| Just got an alert from WP Engine Security: Plugin Vulnerability Notification - Advanced Custom Fields Plugin This plugin could allow input from a malicious user with Author privileges to be interpreted as code by site visitors' web browsers. An attacker could use this vulnerability to steal information or modify site configuration. Unfortunately, the author of this plugin has not yet released a fix to address these security issues. Until that time, we recommend that you assess the risk to your organization with consideration toward the requirement of author privileges for a user to execute this attack. The functionality of Advanced Custom Fields is integral to many themes and other WordPress add-ons, so removing it may break certain aspects of your site. Please make sure to run a backup of your database before making any changes |
||
| Post 1 • IP flag post | ||
Missoula, MT |
rpetersn private msg quote post Address this user | |
| Interestingly, there's no mention (yet 12/5/18 - PM) of this issue anywhere online at any of the various ACF Forums: https://support.advancedcustomfields.com/forums/forum/general-issues/ https://wordpress.org/support/plugin/advanced-custom-fields As you note, there are MILLIONS of sites running this plugin and one that we require as part of using WP3D Models. I'm certain that given the volume of users, this will be resolved quickly. |
||
| Post 2 • IP flag post | ||
|
Founder Nail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| They wouldn’t till they have the problem solved. This was from wpengine which you and many others have sites on. Being on the internet for 24 years I have come to know that the plugin with the issue doesn’t publish till they fix it or they are just compounding the problem by attracting unwanted attention to the issue. Surprised you would think that they would as it’s not practice for anyone, including yourself, to publish a known exploit without it being fixed first. | ||
| Post 3 • IP flag post | ||
|
Missoula, MT |
rpetersn private msg quote post Address this user | |
| Hey Glenn...I only meant that I’m surprised to see no mention yet from other USERS of ACF after receiving similar security messages. | ||
| Post 4 • IP flag post | ||
|
Founder Nail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| So if I had a serious exploit into wp3dmodels and I posted it in forums and said “hey if you do this and that in the software you can seriously jack with a site “ why would you keep that in the forum and public for all to read. It’s just no the way the internet works. They publish after they fixed it. It’s internet common sense not to have it public till then. I trust wpengine and wordfence with their warnings. | ||
| Post 5 • IP flag post | ||
|
Missoula, MT |
rpetersn private msg quote post Address this user | |
Hey Glenn...I feel like maybe I inadvertently touched a nerve here....not my intention.  I was just making a personal observation that I was surprised to not be able to find any more info on this issue on those forums, especially on WordPress.org. I too greatly trust the places you note and wasn’t implying that there is no issue. I’m sure people are scrambling to push out a fix as we speak. Thx for your energies here to help keep users of WordPress (and WP3D Models) safe, secure and updated. |
||
| Post 6 • IP flag post | ||
|
Founder Nail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| I was going to say that about your comments. I don’t have a plugin that greatly relies on it. I’m just on the outside with many Wordpress servers and am trying to tell those with sites what’s up from an unbiased perspective. You have sites at wpengine so you should have got the same email I got. My nerves are fine from dealing with stuff like this for 24 years. Just telling it like it is. No one EVER publishes or keeps posts up about a problem if they don’t have it fixed yet so to come here and say that because the plugin maker hasn’t said anything is misleading to how these things work. |
||
| Post 7 • IP flag post | ||
 WGAN ForumFounder & WGAN-TV Podcast Host Atlanta, Georgia |
DanSmigrod private msg quote post Address this user | |
| Here is the email I received from WPEngine —— Subject: WP Engine Security: Plugin Vulnerability Notification - Advanced Custom Fields Plugin Hello, At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security issues. We are reaching out to you today because we identified your site(s), (wegetaround), are utilizing a vulnerable version of the Advanced Custom Fields plugin. This plugin could allow input from a malicious user with Author privileges to be interpreted as code by site visitors' web browsers. An attacker could use this vulnerability to steal information or modify site configuration. Unfortunately, the author of this plugin has not yet released a fix to address these security issues. Until that time, we recommend that you assess the risk to your organization with consideration toward the requirement of author privileges for a user to execute this attack. The functionality of Advanced Custom Fields is integral to many themes and other WordPress add-ons, so removing it may break certain aspects of your site. Please make sure to run a backup of your database before making any changes; which you can learn how to do in this article: http://wpengine.com/support/restore/ Feel free to reach out to our Support team at any time if you have any questions! Thanks -WP Engine Security Team -- Automated message from WP Engine. Technical Questions? Visit the Support link in the User Portal: <https://my.wpengine.com> or visit the support garage: <https://wpengine.com/support>. Anything else? Let our Support Team know by logging into your User Portal at <https://my.wpengine.com>. https://wpengine.com/ @wpengine |
||
| Post 8 • IP flag post | ||
|
Founder Nail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| Another thing for those reading that are new to this. This happens a lot but usuall before wpengine or wordfense (wordfence you should subscribe to just for the security updates they are great) sends out a warning they reach out to the plugin maker to get them to fix it. The fact that they haven’t yet means the exploit is deeper than usual and they are scrambling. 99.9999% of the time they fix so don’t worry too much. Today there has been a big attempt from hacker bots https://www.wordfence.com/blog/2018/12/wordpress-botnet-attacking-wordpress/ This is like having kids. First one you worry more than you should and 24 years later you worry less, not let it get free rent in your head but take preventive measures. |
||
| Post 9 • IP flag post | ||
|
Missoula, MT |
rpetersn private msg quote post Address this user | |
| Apologies if I came across as misleading, certainly not my intention. I did get the email you note (from WPEngine) and went looking for more information myself. I was just surprised to not be able to find out any more info after that message (that Dan has since reposted here) and that’s all. I’ll continue to be on the lookout for my more info and reply with anything I am able to find. Thx guys! |
||
| Post 10 • IP flag post | ||
|
Founder Nail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| Again, you won’t “hear “ anything from them till they have a fix. Just like if it was your plugin. The only time someone in this position you hear from them is when it’s fixed. Maybe let everyone know when you see that? Thanks | ||
| Post 11 • IP flag post | ||
|
Missoula, MT |
rpetersn private msg quote post Address this user | |
| Yep! Will do |
||
| Post 12 • IP flag post | ||
|
Missoula, MT |
rpetersn private msg quote post Address this user | |
| Following up here to anyone that is curious. I got a message back from ACF as follows: ******** This issue has recently come to our attention and we are working with the WPEngine team to get it fixed. The good news is that, the issue is very minor, and does not expose any real risk to your website. The short version of the issue is: A logged in user (with "author" permissions) is able to enter unfiltered HTML into an ACF field which goes against the 'unfiltered_html' capability mentioned here: https://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html There is no need to panic. This issue does not pose any real world risk to your website. That said, we will release a patch tomorrow to get this fixed Thanks for your patience have a good one. ******** |
||
| Post 13 • IP flag post | ||
|
Founder Nail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| Great to hear and that you have access to them to get a prompt response | ||
| Post 14 • IP flag post | ||
|
WGAN Forum Founder & WGAN-TV Podcast Host Atlanta, Georgia |
DanSmigrod private msg quote post Address this user | |
| From WP Engine in an email alert.... Subject: WP Engine Security: Plugin Update Notification - Google Analytics by Monster Insights Plugin Hello, At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security issues. We are reaching out to you today because we identified your site(s), (wegetaround), are utilizing a vulnerable version of the Google Analytics by Monster Insights plugin. This plugin could allow input from a malicious user to be interpreted as code by site visitor's web browsers. An attacker could use this vulnerability to steal information, or modify site configuration. To secure your site, upgrade Google Analytics by Monster Insights to 7.3.2. Please make sure to run a backup of your database before making any changes; which you can learn how to do in this article: http://wpengine.com/support/restore/ Feel free to reach out to our Support team at any time if you have any questions! Thanks -WP Engine Security Team -- Automated message from WP Engine. Technical Questions? Visit the Support link in the User Portal: <https://my.wpengine.com> or visit the support garage: <https://wpengine.com/support>. Anything else? Let our Support Team know by logging into your User Portal at <https://my.wpengine.com>. https://wpengine.com/ @wpengine |
||
| Post 15 • IP flag post | ||
|
Missoula, MT |
rpetersn private msg quote post Address this user | |
| Note that this is an entirely different plugin ( "Google Analytics by Monster Insights" ) from the one in the title of this thread ( "Advanced Custom Fields" ), but a good reminder nonetheless to always keep your site's software up-to-date! This is an easy fix, just update the plugin and you're done. | ||
| Post 16 • IP flag post | ||
|
Missoula, MT |
rpetersn private msg quote post Address this user | |
| To put a bow on this...Advanced Custom Fields (ACF) released version 5.7.8 today, resolving the issue that was noted by WP Engine and the topic of this thread. https://www.advancedcustomfields.com/blog/acf-5-7-8-release/ |
||
| Post 17 • IP flag post | ||
|
Founder Nail Soup Media Sarasota, Florida |
GlennTremain private msg quote post Address this user | |
| Great to hear. Now on to converting php 5.6 and 7.0 to 7.2 and not having people upgrading to Wordpress 5.0 prematurely | ||
| Post 18 • IP flag post | ||
Pages:
1This topic is archived. Start new topic?