Documentation #25155
closed
Added by scott voth 26 days ago.
Updated 4 days ago.
Category name:
WordPress Plugins
Description
When reviewing documentation on Anthologize, I saw that wordpress.org has made it unavailable due to security issue. See attached screenshot. Is this something we should be concerned about?
Files
- Status changed from New to Staged for Production Release
- Target version set to 2.7.7
Thanks for the pointer, Ray.
The Patchstack report doesn't specifically say where the CSRF vulnerability is, but I can say with certainty that there's a number of places through the Anthologize plugin where nonces ought to be utilized but are not. As you said, though, the risks here are minimal.
My previous experience with issues of this type suggests that, in order to get Anthologize relisted on wordpress.org, the plugin will need to go through the full plugin audit process. I just did a scan using the plugin-check tool and it confirms my fears that such an audit would turn up hundreds of issues that would need manual fixing. This is beyond the scope of what I can reasonably do for a tool that is so old and so little used. The linked PR appears to be an AI-generated attempt to bring the plugin (sorta) up-to-date, but simply reviewing this PR would take many hours of testing.
Anthologize is sufficiently old and unmaintained that I think we should hide it from being activated in the future. I've gone ahead and made this change in https://github.com/cuny-academic-commons/cac/commit/da749b06f0faba0325e26eca8239d60e9143d905 I don't see a reason at this time why we need to remove it from the codebase.
- Status changed from Staged for Production Release to Resolved
Also available in: Atom
PDF