This topic has 8 replies, 3 voices, and was last updated 5 months, 2 weeks ago ago by Andrew Mitchell
Hi,
I am currently experiencing two significant issues with tdsportsx.com that require immediate attention:
1. Security Risk for Xstore Core Plugin:
I have received a notification from my hosting portal indicating a security risk associated with the Xstore Core Plugin. This is concerning, and I would appreciate it if you could investigate and resolve this issue as soon as possible to ensure the security of my website.
Here is the warning message:
Security risk: sqli. The plugin contains a vulnerability wherein unauthenticated visitors could inject SQL statements into WordPress. SQL injection could allow an attacker to gain control of your site.
Severity: critical
Fixed in: no fix yet
Security risk: upload. A vulnerability exists wherein an unauthenticated user could upload a malicious file to the site. This could result in the disclosure of sensitive information or lead to complete site compromise.
Severity: critical
Fixed in: no fix yet
Security risk: privesc. It could be possible to elevate a user’s privileges to a higher permission level.
Severity: critical
Fixed in: no fix yet
Security risk: object injection. This is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. This could result in sensitive data disclosure or site compromise.
Severity: critical
Fixed in: no fix yet
Security risk: rfi. A File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. Remote File Inclusion is the process of including files from a remote source.
Severity: high
Fixed in: no fix yet
Security risk: xss. Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.
Severity: medium
Fixed in: no fix yet
Security risk: no authorisation. An unknown vulnerability exists.
Severity: medium
Fixed in: no fix yet
2. WordPress Update Warning:
The WordPress update page is displaying a warning that my site will not receive updates for newer versions of WordPress.
Please look into this matter asap and If there are any additional details or actions required from my side, please let me know, I’ll be happy to assist.
Thank you
Hello, tdsportsx,
Thank you for reaching out. To assist you with the issues you’ve mentioned, we would need access to the admin panel and FTP. It appears that similar problems have been addressed in a recent update, which you can review here: https://patchstack.com/database/vulnerability/et-core-plugin/
Best Regards,
8Theme’s Team
Reply to “Security Risk and Update Issues with Xstore Core Plugin and WordPress”
Hello, tdsportsx,
We appreciate your prompt response.
We would like to bring to your attention that utilizing the Appearance theme editor or a file manager plugin to implement fixes or code carries the risk of inducing fatal errors. Such errors could potentially result in you being locked out and the website becoming inaccessible. It is for this reason that we recommend editing files through FTP; the use of the File Manager or theme editor alone does not offer the level of security and control required for such operations.
To address the issue you are currently facing, you need to obtain FTP access details from your hosting provider. These details include the FTP host, FTP username, FTP password, FTP port, and FTP encryption type.
Best Regards,
8Theme’s Team
“Security Risk and Update Issues with Xstore Core Plugin and WordPress”
Hello, tdsportsx,
Thank you for reaching out and bringing this to our attention. We understand your concerns regarding the synchronization issues between the Wordfence database, from which Jetpack retrieves data, and the databases of WPScan and Patchstack.
We appreciate your diligence in tracking these errors back to their sources and noting that the issues have been resolved in more detail in the provided videos and screenshots. We will investigate this matter further to ensure that our security data is up-to-date and accurately reflects the current status of vulnerabilities and fixes.
Ensuring the security and functionality of the XStore Core Plugin and WordPress is a priority for us, and we are committed to providing you with the most reliable and safe experience possible.
Thank you for your patience and for being a valued member of the 8Theme community. Please do not hesitate to reach out if you have any more questions or require further assistance.
Best Regards,
8Theme’s Team
reply
Hello, tdsportsx,
We would like to inform you that the issues previously mentioned have been resolved. As communicated earlier, the notices were appearing due to unsynchronized security databases. We have discovered that these databases are synchronized every three months. The next synchronization is scheduled for July 31.
Thank you for your attention to this matter.
Best regards,
8Theme’s Team
You must be logged in to reply to this topic.Log in/Sign up