Changelog for
wordpress-plugin-contact-form-7-7.5.0.4-1.1.noarch.rpm :
Wed Sep 12 14:00:00 2018 Tuukka Pasanen
- A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. Utilizing this vulnerability,
a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users
are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies.
To minimize damage from possible attacks utilizing those vulnerabilities, Contact Form 7 5.0.4 and higher will restrict the
local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a
file placed outside the wp-content directory. You can still specify files inside the wp-content directory with relative or
absolute file paths, so all you need to change is the location of the attachment files.
Requires: WordPress 4.8 or higher
Tested up to: WordPress 4.9.8
- Change Log
* Specifies the capability_type argument explicitly in the register_post_type() call to fix the privilege escalation
vulnerability issue.
* Local File Attachment – disallows the specifying of absolute file paths referring to files outside the wp-content
directory.
* Config Validator – adds a test item to detect invalid file attachment settings.
* Fixes a bug in the JavaScript fallback function for legacy browsers that do not support the HTML5 placeholder attribute.
* Acceptance Checkbox – unsets the form-tag’s do-not-store feature.
Wed Aug 8 14:00:00 2018 tuukka.pasanenAATTilmi.fi
- Update to version 7 5.0.3
Changes:
* CSS: Applies the “not-allowed” cursor style to submit buttons in the “disabled” state.
* Acceptance Checkbox: Revises the tag-generator UI to encourage the use of better options in terms of personal data protection.
* Introduces wpcf7_anonymize_ip_addr() function.
* Introduces the consent_for:storage option for all types of form-tags.
Mon Jun 18 14:00:00 2018 tuukka.pasanenAATTilmi.fi
- Added version 7 5.0.2
