Okay, we’re now over 3 and a half days without a response to a security issue. The issue is also being reported beyond PatchStack and by other credible sources:
Without knowing or any confirmation about what the security issue is, I’m left with a dilemma:
- Do I remove the plugin from any sites and rebuild those areas where the plugin is used (which could be a lot of work)?
- Or, do I wait for a response and increase security with plugins but still potentially leave the websites vulnerable whilst waiting?
Hi @raydale
I get you concerns — I feel the same with the vulnerability issues and security as well at this moment.
I get same warnings by Wordfence and Patchman. Although it’s has an 4,x/10 on the scale (Medium), but it’s classified as Critical.
My clients are using this plugin, same as myself for my own sites. I am also in a dilemma, but for now I keep an eye on the sites (due the reason it’s alot of work to deactivate and search for an alternative…)
I started/opened also a topic about this. Maybe if people starting topics about this, that the devs are responding faster and giving us a update.
Kind regards, Bas
Hello there,
Sorry for the delayed response.
Please be informed that our developers are aware of this security vulnerability and will work diligently to resolve it in the next plugin release.
We appreciate your understanding and apologize for the inconvenience!
Thanks @basz85. I agree, people starting additional threads with their own circumstances does tend to shine a bigger light on it.
Thank you for your response @eugenewhite, it’s good to know that this has been seen and is being worked on.
I’m surprised by the delay in the response. I would also assume that the person who originally discovered the security issue has reached out to you before going public? In all it’s a bit concerning, especially because GetWid has had more than its fair share of security issues.
Hello,
I hope you’re doing well.
We are excited to announce the release of version 2.1.3 of the Getwid plugin. This update addresses the security vulnerability issue you reported.
Please update the plugin to the latest version, and feel free to reach out if you need our help.
Hi @eugenewhite – thank you for the notice about the update of the plugin and security fix.
Why in your changelog are you not listing the security fix?
Hello, @raydale!
Please be informed that the plugin had a security vulnerability related to the API keys for Google Maps, Mailchimp, and reCAPTCHA. We believe a statement like “Enhanced management of Google Maps, Mailchimp, and reCAPTCHA API keys” is sufficient to indicate that the security vulnerability issue has been resolved.
I understand what you are saying, but I think we’ll have to agree to disagree there @eugenewhite. By not providing an explicit reference to this being a security fix it obfuscates it somewhat.
