TOOLSET VULNERABLITIES WARNING

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
-	9:00 – 12:00	9:00 – 12:00	9:00 – 12:00	9:00 – 12:00	9:00 – 12:00	-
-	13:00 – 18:00	13:00 – 18:00	13:00 – 18:00	13:00 – 18:00	13:00 – 18:00	-

Supporter timezone: America/Sao_Paulo (GMT-03:00)

Tagged: Types plugin

This topic contains 3 replies, has 2 voices.

Last updated by Mateus Getulio 1 year, 1 month ago.

Assisted by: Mateus Getulio.

Author

Posts

March 8, 2023 at 12:33 am #2567967

LisaA1200

All my sites that. use toolset are listed as WARNINGS:
Category:PLUGIN

Versions-Affected:<= 3.4.17

Type:Upload

Severity:HIGH

Description:Dave Jong (Patchstack) discovered and reported this Arbitrary File Upload vulnerability in WordPress Types Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website.

March 8, 2023 at 6:06 am #2568065

Mateus Getulio

Supporter

Languages: English (English )

Timezone: America/Sao_Paulo (GMT-03:00)

Hi Lisa,

Thanks for your contact.

We had several reports about the possible vulnerability in Types (seems that it just went public in Plesk, linking back to patchstack): hidden link. So, here are our findings about this issue:

This report has limited details, but unless there is something extra, it appears to be a non-issue. Because it says that administrators can upload arbitrary files, presumably that relates to the File field type, for uploading and storing files. Editing a post and uploading files to the file field uses the WordPress Media Uploader, and it determines the allowable file types (mostly images, videos, audio, and documents), which excludes executables like .php files. Therefore, this is not arbitrary.

Moreover, site administrators can override this by setting the constant ALLOW_UNFILTERED_UPLOADS to true in wp-config.php. Absent further details, it doesn't appear to be a vulnerability from our perspective.

We have already released a new version for Types 3.4.18, which includes a fix for this "vulnerability". You can update either from the downloads page, or may need to click the "Check for updates" button in Plugins -> Add New -> Commercial tab.

I hope that everything is clear and solved now. Thank you!

Regards,
Mateus.

March 8, 2023 at 1:37 pm #2568405

LisaA1200

Thanks for all this explanation. I looked at my website and it just says it has the latest version. Since you have updated the plugin, how long will it show that there is an updated so I can update it with your latest. I don't know how to update it otherwise. Thank you.

March 8, 2023 at 6:33 pm #2568679

Mateus Getulio

Supporter

Languages: English (English )

Timezone: America/Sao_Paulo (GMT-03:00)

Hey there,

Thanks for your reply.

To see the update available you need to follow these steps:

- Go to Plugins -> Add New -> Commercial tab
- Then, click on the 'Check for updates' button, to see the available update
- Here's a screenshot showing this step-by-step: https://toolset.com/wp-content/uploads/2022/11/check-for-updates-toolset.png

You can also get this version from your downloads page: https://toolset.com/account/downloads/, and upload directly in the Plugins -> Add New section.

Please try out these solutions and let us know if it is solved now. Thank you!

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.