I’ve just released version 1.10.3, which provides some security hardening for several issues:
- Fixed: Closes 2 potential SQL injection vulnerabilities in the points logs query code. These are not exploitable within WordPoints itself, however, it is possible that they could be exploited through custom code if it passes untrusted data to the
- Fixed: Avoids the potential for directory listing of the modules directory on improperly configured servers.
- Fixed: Closes any potential XSS vulnerabilities through developer error messages on poorly configured installs (i.e., with
None of these are severe, but all users are still encouraged to upgrade to stay safe.
All of these issues were discovered by the plugin developer while performing a security audit of the plugin. We’re constantly working to improve the plugin’s security by checking for these kinds of issues. If you ever discover any security bugs in WordPoints, please responsibly disclose them to us through our contact form, or our bug bounty program.