This release addresses several security issues that have been reported to us by Hanno Boeck, Brian Carpenter, oreamnos and Julio Cesar. Many thanks for this!
More specifcally:
- Ensure URL parameter casting for RSS and blog entry limits to prevent possible SQL injection inside the LIMIT statement part
- Prevent XSS in the "Edit entries" panel
- Prevent sending comment notifications to more than one email address
- Disable exit.php-Tracking for open URL redirection, unless the trackexits plugin is specifically configured to do so
The release also addresses a new feature for a "legal" plugin property bag attribute (usable for GDPR/DSGVO plugin information) and by default disables subToMe service to prevent GDPR issues.
(MD5: 4e0fe2a842077293f0edd8cbe3e5e8d8)