Earlier today I received a report of a security bug in wp-SwimTeam. While the security flaw is true, I believe the ability to take advantage of the exploit is pretty hard is it would require knowing the value of a WordPress site’s ABSPATH value. It is certainly possible to guess the value in some cases but without knowing the proper value, the exploit simply fails.
None the less, I have fixed it employing WordPress Nonce Verification. All downloads now perform a verification before proceeding.
There is still one know bug in this build, the CSV Roster export from the Manage tab doesn’t do anything. The RE1, HY3, and SDIF Roster Exports all work correctly.
There may also still be some oddities when running on WordPress Multi-Site. I’ve been chasing them down slowly, if anyone runs into anything please report it.
There is a good chance I’ll release a new version once I fix the CSV export in order to get the security fix out in production release.wp-SwimTeam Beta (453 downloads)