Skip to:
Content
Pages
Categories
Search
Top
Bottom

Some code feedback from Plugin Inspector


  • mln83
    Participant

    @mln83

    Hi guys,

    I am running some tests on my site and found a few deprecated functions and recommendations for the BuddyPress plugin:

    Unsafe/buddypress/bp-groups/bp-groups-actions.php view source
    base64_decode at line 141:
    $bp->groups->completed_create_steps = json_decode( base64_decode( stripslashes( $_COOKIE['bp_completed_create_steps'] ) ) ); 
    Potential risk: High. Decode data encoded with MIME base64. May be used to obfuscate (hide) malicious code. Often paired with eval function to execute malicious code.
    DeprecatedUnsafe/buddypress/bp-forums/bbpress/bb-includes/functions.bb-core.php view source
    force_ssl_login at line 566:
    ( ( $context & BB_URI_CONTEXT_BB_USER_FORMS ) && force_ssl_login() ) // Force https when required on user forms 
    Deprecated 4.4.0 Use force_ssl_admin()

    For a full report, I suggest you take a look at Plugin Inspector – https://wordpress.org/plugins/plugin-inspector/

    Best regards,
    Michael

Viewing 1 replies (of 1 total)

  • danbp
    Moderator

    @danbp

    Hi,

    thank you for reporting your thoughts. But the mentionned warnings are very generic, and more important, related to vulnerabilities listed by WPScan Vulnerability Database. It gives you an information, but you have to investigate more about it when you get some alerts.

    But before you get in panic, check WPScan and one or two other service, to confirm. In 2016, such informations are also relayed by social networks. If you find nothing there, you’re probaby not concerned, even if the plugin let you know about a defection. 🙂

    In your examples, the first message is related to a step cookie using json, and the second mention a deprecated function. This doesn’t mean it is bad or dangerous, but that it is no more used or mostly because it will be removed in a next version. Until, it continues to work.

    Once reported by WPScan, the plugin relies a vulnerability on your site. That’s fine, but doesn’t mean the vulnerability affected your site, or even that the vulnerability wasn’t already solved. For example you will see that BuddyPress isn’t reported on WPScan. And the 2 vulnerabilities reported for bbpress (in 2014 !), where both solved in version 2.0. FYI, latest stable version of bbpress is 2.5.8

    By experience, i can tell that most of WP vulnerabilities and sister projects like BuddyPress, are actively handled in a few hours after they have been reported.

    It’s important to be concerned by security, but it’s also important to know about security (not only trusting to a plugin) and very health savy, to not to sink into paranoia. 😉

    A first step into WP security would be to read here.

    As best practice advice: contact directly the devs when you are aware about a vulnerability. Don’t give any public information or details about it (to avoid replication) and stay discreet, at least until you received some official instructions.

    Of course you can also mention all this to the devs here: https://buddypress.trac.wordpress.org/report

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.
Skip to toolbar