Sign In

Recurring 1.10.1 includes a Patch for an Urgent Vulnerability

Version 1.10.1 patches a vulnerability that allows bad actors to view the subscription history of donors. This article describes the steps we took to patch this and provides details on how everyone can get access to the update immediately.
Recurring Donations version 1.01.1

We wanted to inform you right away about an important and urgent update we made to our Recurring Donations add-on. The details are below, but the short version is that you should update to version 1.10.1 as quickly as possible so your donors’ subscription history page is not exposed to bad actors.

Here are the details:

What was the Vulnerability?

This vulnerability allowed bad actors to access the Subscription History page of other donors via the Email Access feature. Once accessed, they could do any of the actions the subscription history page allows for, like change subscription amounts or change credit card info.

It is important to note that they cannot see any information about the credit card itself except for the last four digits. Your donors’ credit card information is never stored on your website, and this vulnerability did not put your donors’ credit card information in jeopardy in any way.

It is also important to note that this only affects those who are using the “Email Access” feature. If you not using that feature at all, then your donors’ history pages were not compromised at all.

How Was this Discovered and Fixed?

We responded to the report quickly and issued the patch within 48 hours of receiving it. Here is the timeline of events (in Pacific Daylight Time):

  • April 15th 7:51am – A customer reported an important security issue regarding our Recurring Donations add-on. An issue was immediately created and escalated to our development team within an hour.
  • April 16th – The development team investigated and discovered the depth and complexity of the issue and created a complete patch for testing.
  • April 17th – 7:00am – The support and development teams both collaborated on testing the patch to ensure the fix resolves the underlying issue without creating other problems.
  • April 17th – 3:20pm – The development team release the patched version 1.10.1.

How Can I Get the Update?

We want everyone using Recurring Donations to get this update regardless of the status of your license. Here’s how you do that:

I Have an Active License
Great! You should see an update available in your WordPress Updates dashboard. Simply update from there and you’re good to go.

If you have trouble updating from your dashboard at all, login to our site and you can download the latest ZIP from your account dashboard.

I Do Not Have an Active License
You can download version 1.10.1 ZIP file here. We also encourage you to renew your license so you can get all the benefits of being a GiveWP subscriber.

Stay Safe, and Reach Out if you Have Questions

Now more than ever, we depend on the patience and kindness of each other. Stay safe out there, keep your sites backed-up and updated. If you have questions at all, feel free to reply to this email or reach out to us via our contact form.

Your success with online donations is our number one priority, always!

Here’s to your success!

Sincerely,
Founder and CEO
Devin Walker

About the Author

Devin Walker

Devin Walker

Co-founder and General Manager of GiveWP, WordPress enthusiast, WordCamp speaker, mediocre golfer, post-rock obsessed cat lover, and aspiring world traveler. Follow me on Twitter.

Share this post

You might also like

Stripe Verified Partner
Cloudflare

Join Our Newsletter

Get fundraising insights directly in your inbox. Plus a 15% discount off all plans.

  • This field is for validation purposes and should be left unchanged.

Policies

Resources

About US

Copyright © 2024 Liquid Web, L.L.C.

GiveWP™ is a trademark of Liquid Web, L.L.C.

A Liquid Web Brand

© 2024 All Rights Reserved.

StellarWP
Nexcess