Security Risk and Update Issues with Xstore Core Plugin and WordPress

This topic has 8 replies, 3 voices, and was last updated 5 months, 2 weeks ago ago by Andrew Mitchell

  • Avatar: tdsportsx
    tdsportsx
    Participant
    June 27, 2024 at 21:30

    Hi,

    I am currently experiencing two significant issues with tdsportsx.com that require immediate attention:

    1. Security Risk for Xstore Core Plugin:
    I have received a notification from my hosting portal indicating a security risk associated with the Xstore Core Plugin. This is concerning, and I would appreciate it if you could investigate and resolve this issue as soon as possible to ensure the security of my website.
    Here is the warning message:
    Security risk: sqli. The plugin contains a vulnerability wherein unauthenticated visitors could inject SQL statements into WordPress. SQL injection could allow an attacker to gain control of your site.

    Severity: critical

    Fixed in: no fix yet

    Security risk: upload. A vulnerability exists wherein an unauthenticated user could upload a malicious file to the site. This could result in the disclosure of sensitive information or lead to complete site compromise.

    Severity: critical

    Fixed in: no fix yet

    Security risk: privesc. It could be possible to elevate a user’s privileges to a higher permission level.

    Severity: critical

    Fixed in: no fix yet

    Security risk: object injection. This is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. This could result in sensitive data disclosure or site compromise.

    Severity: critical

    Fixed in: no fix yet

    Security risk: rfi. A File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. Remote File Inclusion is the process of including files from a remote source.

    Severity: high

    Fixed in: no fix yet

    Security risk: xss. Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

    Severity: medium

    Fixed in: no fix yet

    Security risk: no authorisation. An unknown vulnerability exists.

    Severity: medium

    Fixed in: no fix yet

    2. WordPress Update Warning:
    The WordPress update page is displaying a warning that my site will not receive updates for newer versions of WordPress.

    Please look into this matter asap and If there are any additional details or actions required from my side, please let me know, I’ll be happy to assist.

    Thank you

    Files is visible for topic creator and
    support staff only.
    7 Answers
    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    June 28, 2024 at 13:47

    Hello, tdsportsx,

    Thank you for reaching out. To assist you with the issues you’ve mentioned, we would need access to the admin panel and FTP. It appears that similar problems have been addressed in a recent update, which you can review here: https://patchstack.com/database/vulnerability/et-core-plugin/

    Best Regards,
    8Theme’s Team

    Avatar: tdsportsx
    tdsportsx
    Participant
    June 28, 2024 at 21:27

    Reply to “Security Risk and Update Issues with Xstore Core Plugin and WordPress”

    Please contact administrator
    for this information.
    Avatar: Rose Tyler
    Rose Tyler
    Support staff
    June 29, 2024 at 08:07

    Hello, tdsportsx,

    We appreciate your prompt response.

    We would like to bring to your attention that utilizing the Appearance theme editor or a file manager plugin to implement fixes or code carries the risk of inducing fatal errors. Such errors could potentially result in you being locked out and the website becoming inaccessible. It is for this reason that we recommend editing files through FTP; the use of the File Manager or theme editor alone does not offer the level of security and control required for such operations.

    To address the issue you are currently facing, you need to obtain FTP access details from your hosting provider. These details include the FTP host, FTP username, FTP password, FTP port, and FTP encryption type.

    Best Regards,
    8Theme’s Team

    Avatar: tdsportsx
    tdsportsx
    Participant
    June 29, 2024 at 13:53

    “Security Risk and Update Issues with Xstore Core Plugin and WordPress”

    Please contact administrator
    for this information.
    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    July 1, 2024 at 10:13

    Hello, tdsportsx,

    Thank you for reaching out and bringing this to our attention. We understand your concerns regarding the synchronization issues between the Wordfence database, from which Jetpack retrieves data, and the databases of WPScan and Patchstack.

    We appreciate your diligence in tracking these errors back to their sources and noting that the issues have been resolved in more detail in the provided videos and screenshots. We will investigate this matter further to ensure that our security data is up-to-date and accurately reflects the current status of vulnerabilities and fixes.

    Ensuring the security and functionality of the XStore Core Plugin and WordPress is a priority for us, and we are committed to providing you with the most reliable and safe experience possible.

    Thank you for your patience and for being a valued member of the 8Theme community. Please do not hesitate to reach out if you have any more questions or require further assistance.

    Best Regards,
    8Theme’s Team

    Files is visible for topic creator and
    support staff only.
    Avatar: tdsportsx
    tdsportsx
    Participant
    July 3, 2024 at 20:33

    reply

    Please contact administrator
    for this information.
    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    July 4, 2024 at 08:57

    Hello, tdsportsx,

    We would like to inform you that the issues previously mentioned have been resolved. As communicated earlier, the notices were appearing due to unsynchronized security databases. We have discovered that these databases are synchronized every three months. The next synchronization is scheduled for July 31.

    Thank you for your attention to this matter.

    Best regards,
    8Theme’s Team

  • Viewing 8 results - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.Log in/Sign up

We're using our own and third-party cookies to improve your experience and our website. Keep on browsing to accept our cookie policy.