Serious Security Issue!!!!!

  • Resolved redonxcom

    (@redonxcom)


    4 years, 7 months ago

    I am running the latest version of 2.0.7.
    I am running a multi-site/network install.

    When logged into the WP Admin, navigate to Paid Member Subscriptions > Members. Then click on Add New. Under the Member box, the drop-down box displays every user within the network. It even lists users on other sites where the Admin user is not a member of.

    Even worse, if you click on Bulk Add New, it lists every user within the network in table format. INCLUDING USERNAME AND EMAIL.

    To be clear, if you have a user the is ONLY a member of siteA, they can see all other users of siteB, siteC, etc. The user of siteA could download and still all the users of every other user on siteB, siteC, etc.

    This puts site owners at serious risk because of many US state privacy laws like California and European laws like GDPR.

    I just installed your software and I like it a lot. However, this is a serious issue and I hope it gets resolved asap.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Georgian Cocora

    (@raster02)

    Hello @redonxcom,

    Thank you for your report, we are going to fix this issue in the next release, sometime next week.

    Regards.

    Thread Starter redonxcom

    (@redonxcom)

    I am glad to here this. I look forward to seeing this issue resolved. Do you have an idea of when this will be released?

    Plugin Author Georgian Cocora

    (@raster02)

    We will release a new update on Monday.

    Regards.

    Plugin Author Georgian Cocora

    (@raster02)

    Hello @redonxcom,

    The update was just released.

    Thread Starter redonxcom

    (@redonxcom)

    Thank you so much for taking this security issue so serious and your prompt efforts to release an update.

    There is an issue.

    Your update blocked all users. It should only show users from the same site. In its current state, your software is unable to add any users at all.

    The drop-down box on the Add Member Subscription is empty. I have several users within this site that do not have a membership.

    Bulk Edit is empty. Bulk edit should list the same users as the WP Admin > Users > All Users. I assume.

    Thread Starter redonxcom

    (@redonxcom)

    There is an issue.

    Your update blocked all users. It should only show users from the same site. In its current state, your software is unable to add any users at all.

    The drop-down box on the Add Member Subscription is empty. I have several users within this site that do not have a membership.

    Bulk Edit is empty. Bulk edit should list the same users as the WP Admin > Users > All Users. I assume.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Serious Security Issue!!!!!’ is closed to new replies.