Hi dear users ,
Our dev team has recently been informed about this issue and is actively working on a fix.
In the meantime, if you’re not using the Display Logic feature, we recommend disabling it to remove the vulnerability notification.
Kind Regards,
Mej, Widget Options Team
Wrong. Disable display logic doesn’t fix it. Severity rating at 9.9. Critical.
Why hasn’t this been fixed? Severity rating of 9.9
Hi dear users,
The patch is currently in QA testing and will be released soon once the vulnerability is resolved. Stay tuned for updates!
In my opinion, Patchstack often does not follow the best approach when releasing information about vulnerabilities – but they have there firewall as solution 😉
They tend to announce vulnerabilities before fixes are available, which can be problematic, especially for open-source projects. This approach could lead to unnecessary panic or confusion, especially when there is no immediate solution in sight. While I understand the urgency to inform users, I believe it’s worth considering whether the timeframe could be adjusted to allow for patches to be released before the vulnerabilities are made public. This would give developers time to resolve issues without putting users at risk unnecessarily.
Hi @bindevid,
We’re pleased to let you know that a new version has been released, which includes a patch for the vulnerability reported by Patchstack.
Please update to the latest version at your earliest convenience. If you need any further assistance, don’t hesitate to reach out again to us.
Kind Regards,
Mej, Widget Options Team
Thank you for letting us all know. 🙂
You’re always welcome! @norwood451 @em-m @about2press
Best Regards,
Mej, Widget Options Team
Hi, the plugin patch seems to just block this feature for non-admin roles, including those created by another role editor plugin. This doesn’t really solve the issue for us, as we reserve the admin role for only the highest level and we have people at editor/manager level who have been managing widgets for years.
Are devs working on a better, perhaps WYSIWYG solution that does not require any scripts? that would be ideal. Thx!
Hi @aparentdesign,
We’ve restricted certain access for user roles lower than Administrator to help prevent potential vulnerabilities within the plugin.
Our team is continuously working to improve the plugin’s functionality while prioritizing security and minimizing any vulnerability concerns.
Thank you for your understanding, and please feel free to reach out if you have any questions or suggestions!
Kind Regards,
Mej, Widget Options Team
@mej ,
Thanks, but that solution effectively makes this plugin not useable at all for us. Our workflow is blocked. Is this a short-term solution while devs are working on something better? What other options are there?
As I suggested before, you currently use a wysiwyg method for filtering widgets on Pages, i.e., users search for a post and select the name visually rather than inserting any code anywhere. Can we use something like that but applied to Posts, instead of using conditional logic? Has this suggestion been forwarded to devs? It seems like this would not involve a lot of code changes since the functionality exists.
-A
Hi @aparentdesign,
Thanks for the follow-up, and we understand how this is affecting your workflow.
The current workaround is a long-term solution, and we’ve already forwarded your suggestion to the dev team for review.
We’ll keep you updated as soon as we hear back from the team. Thanks again.
Kind Regards,
Mej, Widget Options Team
Just a little typo to clarify, @aparentdesign, the current workaround isn’t a long-term solution. We’re actively working on improving the plugin’s functionality to ensure a smoother experience and prevent any ongoing issues for our users.
Kind Regards,
Mej, Widget Options Team
