Open JosKlever opened 6 days ago
Themes are not scanned. No errors here, so it must be a plugin with strange version number or characters or no version number. Can you show a list of used plugins/versions from that site?
Complianz | GDPR/CCPA Cookie Consent 7.1.0
Koko Analytics 1.3.14
MainWP Child 5.2
UpdraftPlus - Backup/Restore 2.24.6.26
Wordfence Security 7.11.7
WPForms Lite 1.9.1.3
WP Post Page Clone 1.2
Yoast SEO 23.6
In this case WP Post Page Clone would be my first suspect, because the others are used in many sites, so I'd guess the scan would have hit them earlier. But I don't see a "1.1." reference in the code yet.
Strange because from version 1.4.2 to 1.4.3 nothing changed in version compare. I tested the WP Post Page Clone on a site and it also gives me an error on scan.
I'm not saying that it's caused by 1.4.3. It could also exist in 1.4.2, but I didn't use it recently and this is a new maintenance client. Its good that you can at least reproduce it. Take your time though, because it's not a blocking issue for me.
Why is this issue closed? It's not solved yet. Also tested it with 1.5.0 and the result is the same.
When using the Scanner Feed with 1.5.0 the error does not occur, but with Production Feed it does.
Why is this issue closed? It's not solved yet. Also tested it with 1.5.0 and the result is the same.
The problem is inside the WP Post Page Clone plugin, so for now I am going to close the issue.
Then we can create a support topic for that plugin, but we don't know what to ask, unless we have some information about what's going wrong in your plugin. They can't test or reproduce that.
If we close this issue, the investigation stops as well... 🤔
If you want I can keep this open, but it won't speed up the process of solving it. ;-) When I have time I will look into it, but there is something wrong in the code as I already tested to change the header information and that did not solve it.
Okay, I found the problem. It is a typo in WordFence database they listed version: 1.1. as affected. So they typed in a dot too many! https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-post-page-clone/wp-post-page-clone-11-missing-authorization-to-post-disclosure
I'll send them a message to fix it, but is this something you can fix in your code as well to make sure it ignores it or gives a nice error? After all we can never be certain, that version numbers are exactly noted conform a certain standard.
Wordfence has fixed it already, so the scan finishes now without further errors on my dashboard. So if you want to handle version inconsistencies like this, you should not update your database.
I'll let it up to you if you close this issue or keep it open to adjust your plugin.
Fix added in pre release 1.5.1: https://github.com/herbie4/mainwp-check-plugins-vulnerability-extension/releases/tag/1.5.1 Will add a new prod release 1.4.4 later.
I've just started a scan for all sites and it stopped after a number of sites with a critical error:
I'm using 1.4.3 of the plugin. Before the scan I loaded the latest Wordfence API file. On the site where the error occurred, there is no plugin or theme with a strange version number "1.1." so that shouldn't be the cause of this.