Urgent Security update for OIDC plugin Wordpress

girish

There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.

I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).

dsp76

@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?

humpty

@dsp76 said in Urgent Security update for OIDC plugin Wordpress:

switch to app based authorisation meanwhile and deactivate the plugin?

That's what I just did. I knew OIDC is more trouble than its worth. BTW, cloning the app won't work. Install a new WP managed app, then import a backup if you decide to go that route.

girish

This should be fixed now with the latest package.

imc67

Yes tried manually on 2 sites and it’s working!
Thanks for the effort and results

dsp76

And what needs to be done on WordPress (Developer)?

imc67

First update app, then update plugin

d19dotca

@imc67 I checked just a bit ago but didn’t actually see any update to the Developer one yet. Maybe I checked too early. Hopefully we see it soon so we can update the plugin.

girish

@dsp76 With the latest developer packages + OIDC plugin 3.11.3 , it should work .

@d19dotca https://forum.cloudron.io/topic/2586/wordpress-developer-package-updates/88 is the package release .

d19dotca

@girish I see it now, that’s great, thank you!