Sensitive Information Exposure

  • cashdro

    (@cashdro)


    8 months, 2 weeks ago

    I’m getting security notifications that the plugin “StaffList” has a security vulnerability.

    Description: The StaffList plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.References

    How can this be corrected?

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support ERA404 Support

    (@era404support)

    8 months, 2 weeks ago

    We will use this forum post to notify you if we are presented with any legitimate claims about a vulnerability. In the meanwhile, StaffList is a plugin that helps site owners publish a full directory of their staff/faculty. Before using the plugin, we urge you to consider whether or not this information is too sensitive to be shared.

    Thread Starter cashdro

    (@cashdro)

    8 months, 2 weeks ago

    What would constitute a “legitimate claim”? Are you saying someone needs to be hacked before this is looked into more closely?

    Plugin Support ERA404 Support

    (@era404support)

    8 months, 2 weeks ago

    From Google:

    Be clear and concise: Explain the vulnerability, its potential impact, and how to reproduce it, but avoid revealing sensitive details at this stage.

    What to include in your report

    • Detailed vulnerability description:
      • Explain the issue clearly, its location, and how it can be exploited.
      • Provide steps to reproduce the vulnerability, including screenshots, HTTP requests, or proof-of-concept code.
      • Consider the impact of the vulnerability, referencing CVSS scores where applicable.
    • Relevant details:
      • List affected software and versions.
      • Explain any special configurations needed to reproduce the issue.
      • Suggest potential remediation actions.
      • Include references or external resources for further reading
    Thread Starter cashdro

    (@cashdro)

    8 months, 2 weeks ago

    Why are you copying and pasting something you searched up on Google versus having your own company policies for this? You should look into why someone using your plugin would get such an alert. This is a very questionable response. It reeks of unaccountability.

    • This reply was modified 8 months, 2 weeks ago by cashdro.
Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Sensitive Information Exposure’ is closed to new replies.