jnorell

Curious, this is working now, so marking this resolved. I don’t know of anything that was done (I closed the work day writing this cry for help, and noone has touched the site since then), other than maybe an automatic update of wordpress or another plugin in the mean time could have happened and been related. The server was also rebooted.

Dunno, but thanks….

Two other things, the development site where this happens is not public, and there is no caching (no plugins nor server-level).

The paypal documentation says it’s for buynow, too:

If you omit this variable from Buy Now or Donate buttons, buyers enter their own amount at the time of payment.

If I change line 826 of main.php

//if(isset($atts['amount']) && is_numeric($atts['amount']) && $atts['amount'] > 0) {
if(isset($atts['amount']) && is_numeric($atts['amount']) && $atts['amount'] >= 0) {


I can specify amount=”0″ and it allows me to enter a price at paypal. With just a bit more work, the ‘amount’ could be left out entirely (fewer shortcode attributes); or you may want to require it be specified, even if it’s “0”.

Thanks,
Jesse

Hello, Noor

Sorry, I didn’t explain well. The custom buttons work fine, but I wanted to get rid of them and use this plug-in instead. With this plug-in I am unable to leave the amount empty.

Thanks,
Jesse

Any thoughts here? Or is there a more appropriate place to post feature requests? (the github repo is 7 years oudated, so I didn’t bother using that)

Thanks….

Curious on the upcoming Subscriptions add-on, will it handle anonymous users as well (double opt-in to confirm subscription), or only authenticated site users?

It’s not just parentheses and brackets, eg. entering *test will spew php warnings, too. In my particular case I was testing searching for a phone number (xxx) xxx-xxx and I mis-typed the first parenthesis as *xxx) xxx-xxx .. but there is a legitimate use case for a parenthesis. ??

• This reply was modified 4 years, 11 months ago by jnorell.

Yes, that did hide the error. Also consider:

if( is_object( $post ) && isset( $post->post_type ) && 'advert'==$post->post_type && in_the_loop() ) {

Thanks!

• This reply was modified 4 years, 12 months ago by jnorell.

FWIW, the line in Replyable that’s causing this looks to be valid use of this function: echo get_the_post_thumbnail( $subscribed_post->id(), 'medium' ); ($subscribed_post is an instance of Prompt_Post class, not WP_Post, and not in the loop).

Set the post to draft status, then publish it again.

A custom recipient with input would be the best because it would be configurable per Notification.

I’ll get a merge request sent shortly, and you can see if it’s anything you’d want to include. Thanks for the links to the other filters, that last one especially would probably have been my solution had I seen it sooner. ??

@malayladu, that sounds like a good tradeoff of a needed fix with enhanced features in your premium plan, and the other security fixes are also good to see, thank you.

Jesse

Ok, that’s about what I have now. I’m actually creating this as a new ‘Custom’ recipient class that can be filtered by any theme/plugin to supply a list of recipients (merge request coming soon). A couple thoughts:

– this is almost identical to the current ’email’ class with just a bit of difference in processing the value (parse filter id, and run value through filter to get recipients), would you rather see it right in class/Defaults/Recipient/Email.php or as a separate class/choice ?

– assuming you might include this in the next release, would it be worth making a notification slug available in order to simplify people using this feature (they would have a consistent/determinate filter name to utilize, rather than having to add their own in the value)? I suppose if doing so it would be necessary to display that slug somewhere, possibly making it editable by the user, and maybe display the final filter name for convenience (“You can use the notification/recipients/your-new-slug filter in your plugin or theme to generate a list of recipients”).

– for the sake of custom filtering (add_filter) of recipients, doing so from a merge tag would allow more info be passed to the filter function (ie. info from the trigger), would you see that as a better solution? or even have both available?

Thanks…

• This reply was modified 5 years, 1 month ago by jnorell.

Thanks, that’s the piece I was missing.

Is there any way for the parse_value method to read the slug of the notification itself? Eg. say I create a Notification with title ‘Test 123’ I’d assume that would get a slug test-123, which I’d like to use in parse_value to apply a filter that varies per notification (in this case ‘notification/recipient/custom/test-123’).

Thanks,
Jesse

Wow, that is .. well, I guess something I have not run into before. You have a clearly known security problem in your plugin, and rather than fixing it, you make the fix a touted feature of your paid plans. I certainly appreciate the need to generate income through plans or otherwise, and that balancing what features should be free vs. paid is a tradeoff, but I don’t believe I have ever seen anyone address a “huge risk” (your own words from that article) in a free plugin by requiring payment. As a user who cares a good deal about security, that feels a bit like we’re heading into extortion territory, though I certainly hope that is not your mindset.

In any case, folks will of course make up their own minds on this and any matter, but I am certainly done with this plugin, and will have no further dealings with the company icegram at this point.

For any other users who wish to be clear, this security issue in the Email Subscribers & Newsletters plugin allows any authenticated user of your wordpress site full access to the plugin. Do you allow users to have Subscriber accounts, or place woocommerce orders where they would have an account for purchases? – then this applies to YOU. They can access your existing subscriber lists (violating GDPR and other privacy laws). They can send their own messages to your subscriber lists. They can upload their own subscriber lists and use your website to send mass spam. They can send phishing emails from your website which will be even more convincing to the recipient as it actually comes from your website. This is not the stuff website users should have access to.