Last night, I got an email pointing out a vulnerability in the


Person #1

* required

First Name *
Last Name *
Date of birth
Person type

PhotoPhoto of Person
Small Group Unattached
Jane & John's



Please click here to update map location, once you have entered an address...

Once you have clicked above, this map will show roughly where your address is.

shortcode that allows a malicious person to add some javascript to the address field, which would make the address list pages vulnerable to XSS hacks.

I’ve gone through all the code for the whole plugin, making sure that vulnerability was plugged and not repeated anywhere else. The WordPress security team have also been notified.

Version 0.810 has got rid of the vulnerability. In the unlikely any malicious people have already exploited the vulnerabilty – their address field will look like a bunch of code but not actually do anything bad.