syzygist

Thanks for that. It’s a small change, I don’t mind making it each time I update the plugin. Unfortunately, it doesn’t quite accomplish what we are after, since the email notification just shows “Privacy consent: Opt-in to receiving SMS” whether the box is checked or not, so we have no way of knowing whether the sender has consented. Is there anything we can do to display that in the email notification, or would that be a big code rewrite?

Thanks for the prompt reply and for considering my suggestion. I understand development of free plugins is on an as-time-is-available basis. I appreciate the tip about times showing in WP-DEBUG – I’ll keep that in mind in the meantime.

Ah, that works. Thanks!

Here is the link to the threat report. Your plugin appears near the bottom of the list, and it is listed as unpatched, with all versions 3.7 and below affected by the vulnerability. I can’t believe you are really unaware of this, since it is the practice of threat investigators to contact authors first and give them time to correct the issue before they publicize, but even if they didn’t do that, it has now been public for two weeks. When are you going to stop pretending you don’t know about it/have already fixed it, and make it right? Site owners who don’t have Wordfence are unlikely to realize their sites are at risk, but every hacker in the world now knows about it.

https://www.wordfence.com/threat-intel/vulnerabilities/detail/multiple-wponlinesupport-plugins-various-versions-missing-authorization-to-notice-dismissal

The threat report, as linked above by EigenWijsheid, shows that the vulnerability exists through version 3.6, and has not been patched.

I restored the plugin files I had removed, updated to version 2.1.5, and ran a Wordfence scan. The scan did not flag the new version as vulnerable. However, the vulnerability report link I posted above has not been updated to mention the new version and identify it as a patch. You may wish to contact them about that.

According to the threat report linked below, version 2.1.1 did NOT correct the vulnerability, nor did 2.1.2, 2.1.3 or 2.1.4. As of yesterday (11/7/23), the threat report indicates all updates through 2.1.4 failed to correct the vulnerability, and no effective patch has been released. The lack of transparency on the status of this plugin does not reflect well on the plugin author. Misinforming users about the safety of the plugin puts sites at risk, which is unacceptable.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gallery-videos/video-gallery-youtube-gallery-202-authenticated-administrator-sql-injection

Treebeard – I am going to have to start recommending a switch to my clients as well. Paywalling functionality so that the tech admin is harassed with irrelevant email is a very poor marketing strategy. I’m also pretty unimpressed that my query was marked as “resolved,” when it is no such thing. Giving plugin developers the ability to unilaterally decide when a support issue is resolved (regardless of whether the OP thinks so) just begs for abuse, and has rendered support statistics untrustworthy and therefore meaningless. But luckily, there are plenty of other analytics options to choose from.

The technical administrator for many sites is not the same person who manages content (and therefore SEO). Therefore paywalling the option to have the summaries sent to someone other than the site admin is a bad decision for site admins and for your company alike. Many admins – especially those who manage multiple sites and get deluged with multiple copies of the summary – will simply turn it off and/or mark it as spam if they aren’t able to direct it elsewhere in the plugin, and the person who would actually be making the payment decision for an upgrade will never see it. Is that what you want?

I’d keep it with admins. Contact form setup is not for beginners.

Thanks for your swift and thoughtful response.

It doesn’t need to be view only. It makes sense that an employee managing messages would be able to delete messages, delete selected, send the message list, and export to CSV. And BTW, if it were possible to add the timestamp of the message to the date, that would be very helpful. Being able to send a selected message or messages to the entered email address would also be a very handy feature, allowing the employee to redirect messages directly from WordPress. An employee probably shouldn’t be able to upgrade, however. That is something that would more usually be managed by a site admin.

In many businesses, the employee who manages contact form messages is of relatively low authority in the company, and is not otherwise involved with the website (nor authorized to make purchases). The Contributor role isn’t a perfect fit for this scenario, as it permits access to some other things which would be better restricted to site admins.

Therefore a unique user role specific to your plugin, similar to your Event Manager screenshot, would probably be a better solution for typical business use than piggybacking on a native WordPress role. It would also be useful for site admins of blogs configuring safe permissions for an inexperienced site owner.

Apparently I can’t send a screenshot since they have switched this forum to the block editor. But I don’t think the date format is the issue, since the date it showed the first time I re-authenticated on Sept 6 was 11/09/23, so why would it switch date formats upon a second attempt the very next day? It showed a reauthentication date of 11/09/23 on Sept. 6. Does it make sense that it would suddenly switch date formats and show a date of 06/11/23 on Sept. 7th? Even if it did switch date formats for some reason, and you assume Nov. 6th was really meant the second time, why would it give me a reauthentication date 3 days EARLIER on Sept. 7th than it gave me on Sept. 6th? Wouldn’t the reauthentication date be 1 day later?

The reauthentication process would be a lot clearer if the link in the banner took you to the Connection tab where reauthentication happens, rather than to the Sharing Options tab. But you have not addressed my concern about the Connections tab now showing that my next authentication date is 2 months in the past instead of 2 months in the future.

I have the same question. Wordfence has identified it as abandoned. If you’re going to stop supporting it, you could at least add an export function so we can paste controls we have created into our Additional CSS without having to manually research and re-create each one. That’s a lot of work to put 200,000 active users through. And hitting us with an ad for your new theme is an especial slap in the face (and really poor marketing tactic) when it appears to be at the expense of the plugin we have already spent a lot of time configuring.

I will send it to the email address on your profile – prefer not to post it. Thanks for taking a look.