How long is it reasonable to wait for developers to patch known vunerabilities in their plugins?
This plugin was reported 8 days ago on numerous sites as having a vulnerability.
See CVE-2023-47687: VJInfotech Woo Custom and Sequential Order Number Plugin cross-site request forgery
Does anyone know if it is possible to migrate to another plugin without losing the order numbers created by this plugin?
I’ve never had an issue with any plugin from Envato until now.
For a medium severity like this, maybe 2-3 weeks. There’s no risk to the website itself since this is a CSRF vulnerability.
I’d say just look out for suspicious links in contact form submissions until then – they could potentially be crafted to change your admin password when opened, but it really depends on the vulnerability.
You would need to be actively logged into the WordPress admin account for that to work, so if you do get any suspicious links, opening them in incognito mode or a different browser will mitigate the risk entirely.
Plus, this vulnerability was reported by a researcher, and the plugin isn’t very popular, so it’s highly likely that the vulnerability isn’t being exploited in the wild at all.
This question is best directed to the author of a competing plugin. In general you should assume the answer is no, unless an author tells you otherwise.
Many thanks baileyherbert.
It is good to have an explanation of the exploit and its limitations.
The author says the updated version is awaiting approval from Envato.