Unauthenticated Arbitrary File Access

[larswienbelt]

Hello Team,

We were made aware of the following issue in the MultiSafepay plugin for WordPress: https://wpscan.com/vulnerability/ab740168-f86b-4917-9f12-de3a20cadd4d. It's regarding "Unauthenticated Arbitrary File Access" and present in version 4.13.1 and below.

We'd like to know if you are aware of the issue and when we can (more or less) expect a fix.

Thanks and have a great day!

[danielcivit]

Hello @larswienbelt.

Yes, unfortunately such a problem has been reported to us as well by the WordPress Plugin Directory team; and we have confirmed there was a vulnerability.

The problem lay in a specific functionality related with download logs file of the plugin, and has been immediately removed, less than 24 hours after received the report.

WordPress Plugin Directory team also performed a full security review of the plugin before allow us to be back

Please, upgrade to latest version (4.17.2)

[larswienbelt]

Thank you Daniel for your fast response. We'll update to version 4.17.2.

On the WPScan website it's still reported as "not fixed" and we got the advice from our Hosting partner to remove the whole plugin. Good to know this issue has been resolved. Be aware that others might take action and remove the plugin when authorities like WPScan report the issue as not being resolved. Not sure what you can do about it though.

[danielcivit]

Thank you @larswienbelt.

We sent to WPScan an email a couple of days ago, and kindly request them review the status. Unfortunately, is something our of our control at this moment, but we are confident we will received a reply from them soon.

And yes, we are fully aware of the damage of an error like this. We also believe transparency and a fast action are the best credentials we can provide in order to request the trust of our users.

Please, do not hesitate to come back and contact us with any questions or request you may have, and once again thanks for reach us.