Opened 10 months ago
Closed 10 months ago
#60649 closed defect (bug) (duplicate)
plupload is extremely outdated, it's used by wp core file, auto update was disabled and found vulnerbility
Reported by: | harrisonchen | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Hello,
The file is very outdated, our security scan shows vulnerbility on the current version.
I see that in the update-core.php , plupload is disabled to auto update, i think this was forgotten to turn back on after resolving a bug found years ago.
Please take a look and update the plupload.js file is possible.
plupload.js pkg:javascript/plupload@2.1.9
thank you
Change History (1)
Note: See
TracTickets for help on using
tickets.
hi @harrisonchen, welcome to WordPress Trac. This is a duplicate of #48277, but the TL;DR is Plupload has had more recent versions under a different license, and 2.1.9 is the latest GPL-compatible version.
In addition, if you believe you have found a legitimate security issue, it is imperative to make security-related reports on https://hackerone.com/wordpress. Unfortunately, many automated scans are inaccurate, so please make sure to validate the results before reporting.