Return to previous page

Security Risk and Update Issues with Xstore Core Plugin and WordPress

This topic has 6 replies, 3 voices, and was last updated 2 days ago ago by Andrew Mitchell

tdsportsx

Participant

June 27, 2024 at 21:30

Hi,

I am currently experiencing two significant issues with tdsportsx.com that require immediate attention:

1. Security Risk for Xstore Core Plugin:
I have received a notification from my hosting portal indicating a security risk associated with the Xstore Core Plugin. This is concerning, and I would appreciate it if you could investigate and resolve this issue as soon as possible to ensure the security of my website.
Here is the warning message:
Security risk: sqli. The plugin contains a vulnerability wherein unauthenticated visitors could inject SQL statements into WordPress. SQL injection could allow an attacker to gain control of your site.

Severity: critical

Fixed in: no fix yet

Security risk: upload. A vulnerability exists wherein an unauthenticated user could upload a malicious file to the site. This could result in the disclosure of sensitive information or lead to complete site compromise.

Severity: critical

Fixed in: no fix yet

Security risk: privesc. It could be possible to elevate a user’s privileges to a higher permission level.

Severity: critical

Fixed in: no fix yet

Security risk: object injection. This is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. This could result in sensitive data disclosure or site compromise.

Severity: critical

Fixed in: no fix yet

Security risk: rfi. A File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. Remote File Inclusion is the process of including files from a remote source.

Severity: high

Fixed in: no fix yet

Security risk: xss. Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

Severity: medium

Fixed in: no fix yet

Security risk: no authorisation. An unknown vulnerability exists.

Severity: medium

Fixed in: no fix yet

2. WordPress Update Warning:
The WordPress update page is displaying a warning that my site will not receive updates for newer versions of WordPress.

Please look into this matter asap and If there are any additional details or actions required from my side, please let me know, I’ll be happy to assist.

Thank you

Files is visible for topic creator and
support staff only.

#402125 Copied Theme version: 9.3.14

5 Answers

Andrew Mitchell

Support staff

June 28, 2024 at 13:47

Hello, tdsportsx,

Thank you for reaching out. To assist you with the issues you’ve mentioned, we would need access to the admin panel and FTP. It appears that similar problems have been addressed in a recent update, which you can review here: https://patchstack.com/database/vulnerability/et-core-plugin/

Best Regards,
8Theme’s Team

#402229 Copied

tdsportsx

Participant

June 28, 2024 at 21:27

Reply to “Security Risk and Update Issues with Xstore Core Plugin and WordPress”

Content is visible for topic creator and
support staff only.

#402283 Copied

Rose Tyler

Support staff

June 29, 2024 at 08:07

Hello, tdsportsx,

We appreciate your prompt response.

We would like to bring to your attention that utilizing the Appearance theme editor or a file manager plugin to implement fixes or code carries the risk of inducing fatal errors. Such errors could potentially result in you being locked out and the website becoming inaccessible. It is for this reason that we recommend editing files through FTP; the use of the File Manager or theme editor alone does not offer the level of security and control required for such operations.

To address the issue you are currently facing, you need to obtain FTP access details from your hosting provider. These details include the FTP host, FTP username, FTP password, FTP port, and FTP encryption type.

Best Regards,
8Theme’s Team

#402316 Copied

tdsportsx

Participant

June 29, 2024 at 13:53

“Security Risk and Update Issues with Xstore Core Plugin and WordPress”

Content is visible for topic creator and
support staff only.

#402369 Copied

Andrew Mitchell

Support staff

July 1, 2024 at 10:13

Hello, tdsportsx,

Thank you for reaching out and bringing this to our attention. We understand your concerns regarding the synchronization issues between the Wordfence database, from which Jetpack retrieves data, and the databases of WPScan and Patchstack.

We appreciate your diligence in tracking these errors back to their sources and noting that the issues have been resolved in more detail in the provided videos and screenshots. We will investigate this matter further to ensure that our security data is up-to-date and accurately reflects the current status of vulnerabilities and fixes.

Ensuring the security and functionality of the XStore Core Plugin and WordPress is a priority for us, and we are committed to providing you with the most reliable and safe experience possible.

Thank you for your patience and for being a valued member of the 8Theme community. Please do not hesitate to reach out if you have any more questions or require further assistance.

Best Regards,
8Theme’s Team

Files is visible for topic creator and
support staff only.

#402528 Copied
Tagged: woocommerce security updates, woocommerce template issues, wordpress plugin security, wordpress security risks, wordpress xstore issues, xstore core plugin risk, xstore core plugin updates
Viewing 6 results - 1 through 6 (of 6 total)