-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability fix for hardcoded encryption key. #885
Conversation
Made the encryption key variable and unique based on user email address to fix the vulneravility reported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pinalj It all looks good. Big thumbs up for this one.
I was trying to look into CVE-2023-2986 (I created a POC script here : https://github.com/Ayantaker/CVE-2023-2986) which I guess this fix is for. I tried out the latest plugin version and the vulnerable version 5.14.2 in a wordpress docker instance and the encryption key is set to be empty for both the instance, which makes it still vulnerable (Not sure if I configured something wrong or not )? |
@Ayantaker Thank you for testing this out. We are floating this back to our team to look into & will get back to you. |
Hi, any update on this ? I see a new version has released. |
Hi @Ayantaker , We had allowed backward compatibility for older links to ensure cart recovery is not affected. In yesterday's release the same has been now removed to ensure the patch is completely secure. |
Hi @pinalj , Not sure I fully grasped that, but have a few questions :
|
We have tested the vulnerability on 5.15.1 with your POC script and it looks good. For your reference, we have set up two staging sites. Please find their details below: Unpatched: 5.14.2 Patched: 5.15.1 Carts have been abandoned on both sites. The unpatched version reveals the vulnerability: Please let me know if you have any questions. |
Hi @handelce , I have actually updated my POC script, not sure if you ran it against the updated one or not, but as you can see it's still able to exploit the version 5.15.1 instance of yours
|
@Ayantaker Got that. I'll check the updated script and let you know. |
@Ayantaker Thank you for your dedicated effort in seeing that this vulnerability is properly handled. We've taken a look at your POC script and based on the exploit, we've patched the plugin. We'll be releasing 5.15.2 today and we'd like for you to confirm from your end that things are working fine. Thanking you once more! |
Hey @handelce , if you have tested with the updated POC, should be good to go. Thanks for fixing it! I would recommend filing for a new CVE ID for versions 5.15.0 and 5.15.1 since the previous CVE doesn't cover these versions or let me know I can request for one as well. |
@Ayantaker Yes, please go ahead. Thank you once more! |
Made the encryption key variable and unique based on user email address to fix the vulneravility reported.