Skip to:
Content
Pages
Categories
Search
Top
Bottom

BuddyPress Global Search Vulnerability issue

  • @varunkamani

    Participant

    Recently, the WordFence plugin has been giving me a “critical” error message of:

    The Plugin “BuddyPress Global Search” has been removed from wordpress.org but is still installed on your site.
    Type: Vulnerability Scan

    Is “BuddyPress Global Search” part of the “core” BuddyPress code now? Can I safely remove it?Currently, the site is using global search functionality. If I remove it, the feature might break. How can I fix this issue without causing any disruptions?

Viewing 9 replies - 1 through 9 (of 9 total)
  • @dreampixel

    Participant

    BuddyPress Global Search is a separate plugin that enables you to use some better search-functions. This plugin has been abandoned for a while and could be a security risk on your site. A lot of people still use it – what version do you have of the plugin?

    You could just “ignore” the warning within your WordFence control panel, since you already know having this plugin is in itself a risk to your site.

    @dreampixel

    Participant

    The latest version I’ve been able to find (and use myself) is the 1.2.1 version – also have this as local copy if your version is older than this and needs an update.

    @varunkamani

    Participant

    Yes, my current version is 1.2.1. If I don’t choose to “ignore” it in Wordfence, how can I fix this issue? Could it pose a security risk to the site?

    @dreampixel

    Participant

    @varunkamani it’s not that simple.

    The vulnerability issue in this case is Cross Site Scripting (XSS).

    This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

    It is a known risk in general to use outdated and unsupported plugins on any site.

    In order to “fix this” the plugin itself would need to be updated to reach the security standard. You can also look online for solutions to manage this, but it might not be the only vulnerability about the plugin itself. Like mentioned – old and outdated plugins are a risk.

    You could check out this link:
    Cross Site Scripting

    A solution could also be to use a different plugin that is updated and supported.

    What theme are you using?

    @dreampixel

    Participant

    @varunkamani

    This might also be worth looking into (might be worth it).

    Prevent XSS Vulnerability

    @dreampixel

    Participant

    Personally I use the following (PRO version) – depends on what you want from your site and what your budget is. 🙂

    The PRO version uses Security Headers that offers XSS Protection and other cool features too.

    Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

    @varunkamani

    Participant

    The site is using a child theme. Should I look for new and similar plugins to find a better solution?

    @varunkamani

    Participant

    Hey @GyziieDK, can you provide me with a solution for this topic?

    @dreampixel

    Participant

    Hello @varunkamani

    I already gave you a few options to choose from, so in the end it’s up to you.

    1. Ignore error and keep plugin
    Keep the plugin and accept the fact that it comes with some issues and risks.
    The risk itself is pretty low when it comes to the XSS since this is pretty common.
    Like mentioned before, old and unsupported plugins do come with some risk.

    2. Find a different plugin
    Find a different plugin that is updated that can provide you with the features you need/want.
    You can search on both WordPress.Org or other sites like Google, CodeCanyon etc.

    https://wordpress.org/plugins/

    3. Use a third party security plugin
    Download and install a third party security plugin that can help prevent the XSS attacks on your site. This could be either free or paid/premium depending on your budget and needs.

    4. Get a developer to help you update current plugin
    If you insist on keeping the BuddyPress Global Search and you want it updated to fix its current issues, you’d need to pay a developer to help you update the plugin itself. This might not be the best solution long term, and I would also assume BuddyBoss themselves would update this if they felt it was necessary. The fact that they talked about updating it for the past 3 years and now left it abandoned tells me that it’s not a priority for them.

    From a quick search on the forums, this topic has been up several times before for the past many years, so don’t expect an easy or “free” solution for this.

    Hope it helps! 🙂

Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.
Skip to toolbar