Blog

Pods 2.7.12 Security/Maintenance Release

We are releasing a new Security/Maintenance Release onto the WordPress Plugin Repository today, Pods 2.7.12. This release is targeted to address an issue with displaying User Relationship Fields and to fix some sorting with Currency fields.

Important Security Fix

There was an important security fix in this release that affected Pods 2.7.10 and 2.7.11 for a period of about 15 days. We were first notified about the issue on Wednesday, December 19th, 2018 and rushed quickly to prepare a fix and the release. We put the release out today, Thursday, December 20th, 2018 in coordination with the WordPress.org Plugins team after notifying them on Wednesday.

The security fix included in Pods 2.7.12 addresses an issue first introduced in Pods 2.7.10 on December 5th, 2018. In certain cases but not all — Pods with single-select relationships to Users and templated with Pods Template magic tags, would output the full User data instead of the default Display name. The unfortunate part of this that makes it a security issue was that it would some times result in the output of the hashed user_pass value. This wasn’t a plain text password for the user, but hashed passwords are still important to keep safe.

Because of this, we made this release our top priority and it’s now available for download. We recommend those running Pods 2.7.10 or 2.7.11 to update at their earliest convenience. If an update is not possible — you can choose to change your magic tag usage from {@related_user_field} to {@related_user_field.display_name}, where “related_user_field” is the User relationship field name, to get around the problem.

As always, you can find read about all the changes in our changelog on GitHub and download the new update from the WordPress Plugin Repository.