Please update to v0.810

By andymoyle, Tuesday, April 21st, 2015 at 3:39 pm


Last night, I got an email pointing out a vulnerability in the

Or register...

Person #1 (Click to toggle)

* required

First Name *
Middle Name
Last Name *
Date of birth
Marital Status
Person type
PhotoPhoto of Person
Small Group Unattached
Jane & John's
children
Evas... Small group

Site
Mobile
Email
Gender
Receive Prayer requests by email
Receive new Bible reading notes by email
Receive new blog posts by email
Can we send you SMS
Can we send you email
Can we send you mail
Do not show me on the password protected address list

Edit household details

Household photoPhoto of Person
Address
Please click here to update map location, once you have entered an address...

shortcode that allows a malicious person to add some javascript to the address field, which would make the address list pages vulnerable to XSS hacks.

I’ve gone through all the code for the whole plugin, making sure that vulnerability was plugged and not repeated anywhere else. The WordPress security team have also been notified.

Version 0.810 has got rid of the vulnerability. In the unlikely any malicious people have already exploited the vulnerabilty – their address field will look like a bunch of code but not actually do anything bad.