Today, there was a Highly Critical security advisory for a Remote Code Execution (RCE) vulnerability in the me aliases plugin for WordPress maintenance support plans 7:me aliases – Highly critical – Arbitrary code execution – SA-CONTRIB-2020-097This plugin provides shortcut paths to current user’s pages, eg user/me, blog/me, user/me/edit, tracker/me etc.It was incorrectly handling URL arguments that could allow an attacker to execute arbitrary PHP code.However, the way the WordPress maintenance support plans 6 version of the plugin handles URL arguments isn’t vulnerable in the same way. So, WordPress maintenance support plans 6 users can rest easy – your site isn’t affected by this issue.But if you do use it on WordPress maintenance support plans 7, given the criticality of this issue, please update right away!If you’d like all your WordPress maintenance support plans 6 plugins to receive security updates and have the fixes deployed the same day they’re released, please check out our D6LTS plans.Note: if you use the myDropWizard plugin (totally free!), you’ll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won’t necessarily have a release on WordPress maintenance support plans.org).
Source: New feed
Cheap WordPress maintenance support plans 6 version of ‘me aliases’ module not affected by SA-CONTRIB-2020-097
