You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Technical details of recent vulnerability → Unfortunately our 3.14.27 patch didn't quite fix the problem referred to in the details. While a subscriber could not access the "Import & Export" page when logged in as a subscriber, they could and still can execute "https://code4recovery.org/wp-admin/admin-ajax.php?action=csv" from the address bar and download the meetings.csv file. The good news is that it's pretty easy to wrap the export code with some current_user_can () code. The 3.14.27 patch did get us off the Wordfence radar for now, but we will need to submit a patchlink to PastchStack so it doesn't get put out to the larger community in February...
just a note: this is not really a bug. the intent of the CSV function is to be allowed to be used publicly, it's sort of the whole thing that started me on this journey back in 2013, our local website was terrible but they had a "download CSV" link i could use to make it better. the intent of keeping this a 'nopriv' ajax function was to enable sites to share their data if they chose to. i suppose that there are other ways to go about this though that don't look like a security oversight, so i can expedite a 'fix' to revoke this capability
Contact Details
devs@code4recovery.org
Website With Issue
https://patchstack.com/database/report-preview/68ad7d69-5e92-4fcc-9a30-62501b3b26b8?pin=FUIrb4IghDgUA6b0
What happened?
Technical details of recent vulnerability → Unfortunately our 3.14.27 patch didn't quite fix the problem referred to in the details. While a subscriber could not access the "Import & Export" page when logged in as a subscriber, they could and still can execute "https://code4recovery.org/wp-admin/admin-ajax.php?action=csv" from the address bar and download the meetings.csv file. The good news is that it's pretty easy to wrap the export code with some current_user_can () code. The 3.14.27 patch did get us off the Wordfence radar for now, but we will need to submit a patchlink to PastchStack so it doesn't get put out to the larger community in February...
What browsers are you seeing the problem on?
No response
Relevant log output/errors
The original report is available here: https://patchstack.com/database/report-preview/68ad7d69-5e92-4fcc-9a30-62501b3b26b8?pin=FUIrb4IghDgUA6b0
The text was updated successfully, but these errors were encountered: