Skip Navigation
Buy Now

Home Toolset Professional Support [Resolved] Critical Vulnerability found

[Resolved] Critical Vulnerability found

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 9:00 – 12:00 9:00 – 12:00 9:00 – 12:00 9:00 – 12:00 9:00 – 12:00 -
- 13:00 – 18:00 13:00 – 18:00 13:00 – 18:00 13:00 – 18:00 13:00 – 18:00 -

Supporter timezone: America/Sao_Paulo (GMT-03:00)

This topic contains 5 replies, has 3 voices.

Last updated by valerieC-2 1 year, 8 months ago.

Assisted by: Mateus Getulio.

Author
Posts
#2566697

kristofG

Are you aware of hidden link

#2567017

Mateus Getulio
Supporter

Languages: English (English )

Timezone: America/Sao_Paulo (GMT-03:00)

Hello there,

Thanks for your contact.

We have just released the Toolset Types version 3.4.18, with a fix for this "vulnerability" issue. You can download the latest Toolset Types plugin from your account's page: https://toolset.com/account/downloads/, or you can install/update Toolset plugins using the installer plugin - please click on "Check for updates" button: - https://toolset.com/faq/how-to-install-and-register-toolset/#automatic-installation-once-you-have-otgs-installer-plugin-installed

Regards,
Mateus.

#2567413

kristofG

Thank you. I am updating all sites as we speak.
But why do you say [this "vulnerability" issue]? You are not convinced it's a vulnerability?

#2567909

Mateus Getulio
Supporter

Languages: English (English )

Timezone: America/Sao_Paulo (GMT-03:00)

Hi there,

Thanks for your reply.

Sorry for not explaining this well before. So, here are our findings about the issue:

We had several reports about the possible vulnerability in Types (seems that it just went public in Plesk, linking back to patchstack): hidden link

This report has limited details, but unless there is something extra, it appears to be a non-issue. Because it says that administrators can upload arbitrary files, presumably that relates to the File field type, for uploading and storing files. Editing a post and uploading files to the file field uses the WordPress Media Uploader, and it determines the allowable file types (mostly images, videos, audio, and documents), which excludes executables like .php files. Therefore, this is not arbitrary.

Site administrators can override this by setting the constant ALLOW_UNFILTERED_UPLOADS to true in wp-config.php. Absent further details, it doesn't appear to be a vulnerability from our perspective.

I hope that everything is clear now. Thank you!

#2568167

kristofG

My issue is resolved now. Thank you!

#2568481

valerieC-2

My sites are registered. I'm not seeing the 3.4.18 version as available. (none of the sites I use it on show an update available)

Is this only for uploads that don't have file types designated for an upload field?

Known issues and solutions

Frequently asked support questions

Support tickets archive

Get help from experienced contractors

Meet Toolset support team

Toolset Customer Support Policy

Need to tell us something about the quality of support

How to remove personal information from your database for support