For the last 10 days,since 29th August, the Bridge Core plugin has been producing alerts on my website.
Both Simple SSL and Wordfence highlight that a vulnerability has been found and that use of the Bridge Core plugin renders the website vulnerable.
OK, so I leap into action to check for an update from Qode - nothing. What about Envato - nothing. I then download the whole Bridge theme (which contains the Core plugin) and reload it. The version is exactly the same, 3.0.9. The one that is highlighted as being vulnerable.
In fact, AFAIK although Bridge proudly proclaims that it is used in >200k websites, it seems that they are all vulnerable and nothing is being done.
Unless I am missing something.
Does anyone have any ideas?
Regards,
Mark
The author stated that they are working on a patch, in the theme’s comments section:
It is in the progress of updating and it will be released next week. If you need assistance with the security vulnerability, we would appreciate it if you could send us a mail to our help center providing your purchase code in it and our team will provide you with the fix until the update is released.
This is a cross-site scripting vulnerability. The attack surface for these are quite limited with no potential to damage or infiltrate the website’s internals, and no proof-of-concept has been published for the vulnerability yet, both of which grant the author some time to address it properly.
So, be on the look out for a patch, but it’s nothing critically urgent.
1 Like
Phew. Thank you.
I tried to look at the site but my credentials are too old and I don’t qualify for support.
I appreciate your help.
Mark
1 Like