[wp-trac] [WordPress Trac] #56729: Vulnerability in plugin update notification (impersonation of plugins with possible RCE)
WordPress Trac
noreply at wordpress.org
Tue Oct 4 09:28:08 UTC 2022
#56729: Vulnerability in plugin update notification (impersonation of plugins with
possible RCE)
-----------------------------------+------------------------------
Reporter: sylm87 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version:
Severity: normal | Resolution:
Keywords: has-screenshots close | Focuses: administration
-----------------------------------+------------------------------
Changes (by audrasjb):
* keywords: needs-patch has-screenshots => has-screenshots close
* version: 6.0.2 =>
* severity: critical => normal
Comment:
Hello,
Thank you for opening this ticket and welcome to WordPress Core Trac.
First, you should have read the message concerning security issues when
you submitted this ticket: do **not** report security issues here, but on
the WordPress Hackerone program instead.
By the way, the problem your encountering was fixed a while ago. You're
simply doing it wrong :)
You should use the Update URI header introduced in WordPress 5.8.
For more information: https://make.wordpress.org/core/2021/06/29
/introducing-update-uri-plugin-header-in-wordpress-5-8/
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56729#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list