twright6
commented
3 months ago So I'm seeing 2.7.31, do we know if this version is an actual fix that will result in the plugin being returned to the WP repository?
Open UPTimbo opened 9 months ago
twright6
commented
3 months ago So I'm seeing 2.7.31, do we know if this version is an actual fix that will result in the plugin being returned to the WP repository?
clickbait
commented
3 months ago So I'm seeing 2.7.31, do we know if this version is an actual fix that will result in the plugin being returned to the WP repository?
the committed code seems to address the issue that is mentioned in the vulnerability so i would assume so
izac3d
commented
3 months ago So I'm seeing 2.7.31, do we know if this version is an actual fix that will result in the plugin being returned to the WP repository?
the committed code seems to address the issue that is mentioned in the vulnerability so i would assume so
Download from here (2.7.31): https://downloads.wordpress.org/plugin/unyson.zip
WebDragon
commented
3 months ago I will believe it when Patchstack updates their vulnerability report to reflect that this addresses the fix correctly https://patchstack.com/database/vulnerability/unyson
twright6
commented
1 month ago Is anyone using the new version. Any news on whether this is an actual fix. It's obvious Theme Fuse isn't providing any details. Appreciate your feedback.
ypesh
commented
1 month ago Is anyone using the new version. Any news on whether this is an actual fix. It's obvious Theme Fuse isn't providing any details. Appreciate your feedback.
Yes we're using it and so far so good no more threat warnings from our host one.com. The current site is live with the updated theme, however we have setup a staging platform and are in the process of migrating everything to the Avada theme. It's a lot of work but will be better in the long term as we're only a small team.
WebDragon
commented
1 month ago Is anyone using the new version. Any news on whether this is an actual fix. It's obvious Theme Fuse isn't providing any details. Appreciate your feedback.
We have the new version installed, but from everything I can see from the Diff between the previous and current version, it was not an actual fix. Witness the fact that I pointed out earlier, that Patchstack has still not updated their vulnerability info to indicate that it is now fixed.
I'm getting alerts that the Unyson plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on several functions in versions up to, and including, 2.7.28. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions such as dismissing notices.
Is there a Patch in the works?