monperrus
commented
3 years ago Original email from Wordpress:
Your plugin has had to be temporarily withdrawn from the WordPress.org Plugin Directory due to an exploit.
https://wordpress.org/plugins/wp-publications
For the next 60 days, your plugin will simply say that it is no longer available for download. After that time, it will state that it was closed for a security issue.
What to Do Next
We understand this can be a shocking and painful email to receive. We do not close plugins lightly, and when it comes to security issues we attempt to balance the volume of users and the history of the developers with the severity and potential for damage of the report. We believe that leaving plugins open would put users at risk if we allowed them to download code that could be exploited, and once an exploit is reported, it is often acted upon by persons nefarious.
To help restore your plugin as quickly as possible, you are required to do the following:
Review the report (listed below) and make corrections to prevent it from being exploitable
Perform a full security and standards review on your own code
Increase the plugin version
Ensure the 'tested up to' version in your readme is the latest release of WordPress
Update the code in SVN
Reply to this email and request a re-review
If you believe the report is not valid, and that your plugin is secure, please reply to this email to let us know. If the vulnerability is XSS or CSRF related, know that Chrome actually prevents those from working in their browser and you may need to check in Firefox or another browser.
Should you, for any reason, find you are unable to update the plugin, please let us know promptly so we can decide on the best course of action to take in order to protect the users. It's okay if you just can't fix this or don't want to.
Plugins are closed immediately and the developer contacted when this happens, in part because we have an imperfect system of notifications. This means until your plugin is corrected to meet our guidelines, we will not reopen it.
Please review our documentation on how to use SVN - https://developer.wordpress.org/plugins/wordpress-org/how-to-use-subversion/#best-practices - as improper SVN usage can delay our reviews.
When we re-review your code we will look at not just the changes, but the entire plugin, so there may be a delay. Rest assured, we prioritize reviews of security related issues above all else.
Vulnerability Report
Your plugin is vulnerable to XSS attacks due to lack of escaping
cve: CVE-2021-38360
file: bibtexbrowser.php:49
poc:
create a file name 1.local.php with content<?php phpinfo();
and then zip it and upload to website,to do that, you need at least an author account.
In addition, since the zip protocol needs to use an absolute path, you need correctly guess the absolute path of the web directory, and then replace the 1-1.zip in the following URL with your actual file path
This is not a full review of your plugin. Should we find other security issues on a re-review, you will be required to fix those before we reopen your plugin. This is because if we found another security issue down the road, we would have to close your plugin again. We feel it's better for your reputation to have a plugin closed once and fixed rather than multiple times.
If you have any questions, please let us know.
-- WordPress Plugin Review Team | plugins@wordpress.org https://make.wordpress.org/plugins/ https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/ {#HS:1623220128-208541#}
nickfmc
A vulnerability has been found in bibtexbrowser, and in Wordpress plugin wp-publications by transitivity.
It's of type CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38360