I’m using a reseller account at A2 Hosting, which has Patchman enabled in cPanel. I got an email that it found two vulnerabilities…
XSS vulnerability in WordPress
home/user/public_html/account/wp-admin/js/post.js
XSS vulnerability in WordPress
/home/user/public_html/account/wp-includes/js/wp-sanitize.js
It then overwrites the files with the current WordPress version.
I sent an email to Patchman about the issue. Figured I’d post it here as well.
You’re welcome.
Hadn’t heard of Patchman but looks like a security scanning service. Not good if they are overwriting CP files though, so it’s great you contacted them to make them aware of it. Please let us know what they say Sean.
(… and welcome!).
Will do.
… Thanks.
Still don’t have a reply on this, so I sent the email to Patchman again.
Can you share contact details of Patchman and I’ll contact them as well?
Thanks, Sean.
Just got a response…
Thank you for contacting Patchman Support, we are currently reaching out to a higher tier to review your request to see if there are fixes for your WordPress fork. Currently here is the list of applications that Patchman currently supports. We will review this and respond once we have a definitive answer from our engineers on how Patchman impacts ClassicPress for you.
Got another response.
Thank you for your patience and understanding. I did have a conversation with one of our Patchman Engineer’s and this is what he had to say about ClassicPress:
"I see ClassicPress is a fork of WordPress, so we might, to some degree. This is not by express design, but patches are applied based on the code present. If ClassicPress shares (significant portions of) its codebase, down to the file hash level, with regular WordPress— then yes, you may see vulnerabilities that are shared between both apps also patched in both, but we offer no guarantees.
It is worth noting that while we do delineate our patch support by application/version, the detection of vulnerabilities itself is application/version agnostic in the sense that if you were to take one vulnerable file out of an outdated WordPress install and upload it on a hosting account secured by Patchman, it would still be patched, even though there’s no application surrounding it."
It sounds like you should be able to have patches work without issue but if you do have problems you can always set vulnerabilities to alert rather than patch or revert any patches that are applied which are breaking sites. Let me know if that helped to answer your questions.
WooCommerce is also on their list, which could be a problem for Classic Commerce.
There isn’t really a setting to just get alerts.It does send an email before making a patch. However, if you don’t go in and manually block each one, it continues with the patch.
I asked them If they would add support for ClassicPress, and this was the reply:
Thank you for contacting Patchman Support. We appreciate your feedback into adding ClassicPress as a supported CMS. We are always looking to expand and improve upon our services. For an updated document on supported CMS please feel free to reference the following link;
unable to post link
Should ClassicPress be added as a supported CMS this will be the fastest way to know. Additionally for more information on detection states, please utilize the following link;
unable to post link