I have just posted a beta build (v0.94-beta-1) of WordPress Google Forms. This build introduces a new solution for calculating the CAPTCHA. There have been a number of concerns about the use of the PHP eval() function and recently, an alternate solution has been posted to the WordPress Support Forum. I have adapted the proposed solution to the plugin.
This build also addresses a concern about possible security issue with the user-agent string stored when logging submissions. It is technically possible for a malicious user to encode the user agent string with malicious code. This update ensures that data is sanitized before storing and presenting it.
I have addressed what I hope is the last of the security concerns with Google Forms and resubmitted to WordPress.org for approval. In the meantime, should anyone want early access to the next update, which includes some additional debug features as well as addressing the security concerns, you can download it here.
This afternoon I posted beta-4 of Email Users v4.8.5. This build adds some additional debug information to help chase down slow database queries. When in debug mode, Email Users will now report information about the query like this:
This evening I uploaded another beta (beta-2) build of Email Users v4.8.5. This build addresses an issue with the user’s email preferences not being respected when using a custom meta filter. This problem was reported in the WordPress Support Forum a few weeks back.
I’ve posted Email Users v4.8.5-beta-1 for testing purposes. This is a minor update which restores functionality which was removed in 4.7.1. See this recent thread and this old 4.7.1 thread on the WordPress Support Forum for more details on the change in 4.7.1.
The change in 4.8.5 introduces a new option (Send User Exclude Role) on the Settings page which is enabled by default to retain the current functionality. When turned off, the user’s current role is also included in the list of roles presented as potential recipients.
Please provide any feedback ASAP as my window to fix this over the holiday break at work is small.
Last week I was notified my Google Forms plugin had a potential security flaw and would be de-listed from the plugin repository until addressed. I have implemented the fixes recommended by the WordPress Security Team and am in the process of getting the plugin listed again.
I would like to enlist some additional testing besides my small suite of test cases with the updated code.
This morning I released v0.87 of the Google Forms plugin. This update includes a new check when saving a form definition. The check scans the HTML from the form to ensure it has the proper HTML structure the plugin expects.
The new version of Google Forms is not supported by the plugin so this check ensures that a user is notified that the form isn’t of the expected format.
You can find this updated on your WordPress Dashboard or in the WordPress plugin repository.
A week ago (July 19th) I was contacted by WordPress regarding a potential security flaw in Email Users. Email Users was “closed” (which is why it doesn’t show up at WordPress.org) until the security flaw was addressed and a new version of the plugin was tagged and release.
Due to some work issues, I did not have a chance to work on the plugin until this past weekend. I have resolved the security concerns, committed all of the changes, and tagged a new release. On July 26th (Sunday) I notified WordPress.org that everything (I know of) has been addressed. At this point, I am waiting for the plugin to be opened again or notified that I’ve missed something.
I’ve uploaded v4.84. to my web site in the event anyone wants to download the update before WordPress.org makes it live again.