Make WordPress Core

Opened 3 months ago

Closed 3 months ago

#60649 closed defect (bug) (duplicate)

plupload is extremely outdated, it's used by wp core file, auto update was disabled and found vulnerbility

Reported by: harrisonchen's profile harrisonchen Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Hello,
The file is very outdated, our security scan shows vulnerbility on the current version.
I see that in the update-core.php , plupload is disabled to auto update, i think this was forgotten to turn back on after resolving a bug found years ago.
Please take a look and update the plupload.js file is possible.
plupload.js pkg:javascript/plupload@2.1.9
thank you

Change History (1)

#1 @jorbin
3 months ago

  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Severity changed from major to normal
  • Status changed from new to closed
  • Version 6.4.3 deleted

hi @harrisonchen, welcome to WordPress Trac. This is a duplicate of #48277, but the TL;DR is Plupload has had more recent versions under a different license, and 2.1.9 is the latest GPL-compatible version.

In addition, if you believe you have found a legitimate security issue, it is imperative to make security-related reports on https://hackerone.com/wordpress. Unfortunately, many automated scans are inaccurate, so please make sure to validate the results before reporting.

Note: See TracTickets for help on using tickets.