We wanted to inform you right away about an important and urgent update we made to our Recurring Donations add-on. The details are below, but the short version is that you should update to version 1.10.1 as quickly as possible so your donors’ subscription history page is not exposed to bad actors.
Here are the details:
What was the Vulnerability?
This vulnerability allowed bad actors to access the Subscription History page of other donors via the Email Access feature. Once accessed, they could do any of the actions the subscription history page allows for, like change subscription amounts or change credit card info.
It is important to note that they cannot see any information about the credit card itself except for the last four digits. Your donors’ credit card information is never stored on your website, and this vulnerability did not put your donors’ credit card information in jeopardy in any way.
It is also important to note that this only affects those who are using the “Email Access” feature. If you not using that feature at all, then your donors’ history pages were not compromised at all.
How Was this Discovered and Fixed?
We responded to the report quickly and issued the patch within 48 hours of receiving it. Here is the timeline of events (in Pacific Daylight Time):
- April 15th 7:51am – A customer reported an important security issue regarding our Recurring Donations add-on. An issue was immediately created and escalated to our development team within an hour.
- April 16th – The development team investigated and discovered the depth and complexity of the issue and created a complete patch for testing.
- April 17th – 7:00am – The support and development teams both collaborated on testing the patch to ensure the fix resolves the underlying issue without creating other problems.
- April 17th – 3:20pm – The development team release the patched version 1.10.1.
How Can I Get the Update?
We want everyone using Recurring Donations to get this update regardless of the status of your license. Here’s how you do that:
I Have an Active License
Great! You should see an update available in your WordPress Updates dashboard. Simply update from there and you’re good to go.
If you have trouble updating from your dashboard at all, login to our site and you can download the latest ZIP from your account dashboard.
I Do Not Have an Active License
You can download version 1.10.1 ZIP file here. We also encourage you to renew your license so you can get all the benefits of being a GiveWP subscriber.
Stay Safe, and Reach Out if you Have Questions
Now more than ever, we depend on the patience and kindness of each other. Stay safe out there, keep your sites backed-up and updated. If you have questions at all, feel free to reply to this email or reach out to us via our contact form.
Your success with online donations is our number one priority, always!
Here’s to your success!
Founder and CEO