This release addresses several security issues that have been reported to us by Hanno Boeck, Brian Carpenter, oreamnos and Julio Cesar. Many thanks for this!
More specifically:
- Ensure URL parameter casting for RSS and blog entry limits to prevent possible SQL injection inside the LIMIT statement part
Prevent XSS in the "Edit entries" panel
- Prevent sending comment notifications to more than one email address
- Disable exit.php-Tracking for open URL redirection, unless the trackexits plugin is specifically configured to do so
The release also addresses a new feature for a "legal" plugin property bag attribute (usable for GDPR/DSGVO plugin information) and by default disables subToMe service to prevent GDPR issues.
Simply download the release and update your blog.