Here is an important security update we are releasing and request you all to update Convert Plus to version 3.4.2 immediately. Let me share a quick overview of what this is all about –
The summary of the vulnerability –
- Server data would get exposed if someone tried to access it through Cross-site scripting.
We are thankful to Dany Bach, who informed us about this vulnerability issue discovered while using Convert Plus on his website.
Our team took action immediately and worked along with him to get it fixed in a few hours. This update is a resultant of the successful elimination of the vulnerability issue.
We haven’t heard of any website or server being affected with this as of now.
What are we doing about this?
As mentioned above, we’ve added a vulnerability fix in the most recent version 3.4.2 of Convert Plus.
We have checked for the nonce, sanitized input fields and replaced unserialized functions with json_dcode functions that make it secure and prevent any such security breach in the future. Apart from this, we are also taking the following actions –
- Released an immediate automatic update with a notification in the WordPress dashboard.
- Informing all our direct Convert Plus customers.
- Notifying all the theme authors who have bundled Convert Plus within their theme.
- Taking all precautionary measures and are actively working with security experts to ensure no other vulnerability is present.
Immediate Action Required!
Since this is a security update, we do not want any of our users to risk their server information. Therefore, it is highly recommended that you update Convert Plus to the latest version so that you can sit back and relax! 🙂
While we sincerely apologize for the inconvenience caused, we assure you that this incident has made our team’s commitment to providing quality along with security even stronger. We are constantly working to make sure our products are secure and reliable.
If you have any questions or concerns about the incident, please feel free to get in touch with us at support[at]bsf[dot]io.