RocketGeek

Home of WP-Members, The Original WordPress Membership Plugin

Home » Release Announcements » WP-Members 3.4.9

WP-Members 3.4.9

· ·

This article is provided free. Find out how you can get full access to premium content, including how-to articles and support forums, as well as priority email support and member exclusive plugin extensions..

 

The WP-Members 3.4.9 release is mostly a security update, with a couple of additional features and API functions.

Security

The primary issue addressed in this release is the [wpmem_field] shortcode, what is available when using it, and how it can be used.

For the average user, there is no security problem. However, in sites that may have untrusted editors that lack list_users capabilities in their role, the shortcode has the potential for an untrusted user to retrieve data on other users.

To address this in a manner that is suitable for all of the plugin’s users and implemented use-cases, I have added an option for how the shortcode is enabled. There is a setting for you to choose one of the following:

  • Disabled
  • Partially enabled
  • Fully enabled

Here is what each of those mean, and who they might apply to:

Disabled

This renders the [wpmem_field] shortcode fully disabled. This is the recommended setting if you don’t use the shortcode at all. For users who only have admins and subscriber roles, this isn’t necessary, but it’s still the recommended setting if you don’t need the shortcode at all.

This setting is selected by default for all new installations.

Partially enabled

If you use the shortcode in conjuction with front end user editing (a rare subset of users), this option allows you to enable the shortcode, but it will only load if the currently logged in user has “edit_users” capability assigned to their role (which they would need to have if editing users).

Fully enabled

This option fully enables the shortcode, allowing it to be used by all users.

Am I At Risk?

Generally, no. This issue only applies in situations where you have untrusted users who can edit posts but not edit users. Further, it does not apply to all user data. And with this update, it further limits the data available to the shortcode to only certain data fields.

Review the new options listed above and determine which best fits how you use the plugin (for most people it will be either disabled or fully enabled). If necessary, further limit the fields available to the shortcode by using the new wpmem_field_sc_meta_keys filter hook.

If you’re not sure, don’t understand, or have questions, ask.

New API Functions

This update also includes some new API functions. They operate as conditional functions.

  • wpmem_is_login()
  • wpmem_is_register()
  • wpmem_is_profile()

Ready to get started?

Join Today!