This security release is recommended for everyone using the file uploads feature in the Audio & Video plugin.
Audio & Video file upload vulnerability
A few days ago it was brought to our attention that the Audio Uploads feature allows uploading other file types. According to preliminary research, files such as PHP or HTML were not going through, which meant the severity of the issue is rather low.
After some more digging we were able to replicate the issue on some browsers combined with certain server setups. As far as we know there is no meaningful way to exploit this by uploading malicious files, nevertheless we decided to tighten up the security just in case and release it as PeepSo 2.2.4.
No other changes were introduced in the Gecko theme nor any other PeepSo plugin, as this version is only shipping a patch to the aforementioned issue.
If you’re not using Audio & Video uploading features you can skip this release and wait for PeepSo 2.2.5. It should come out next week according to our regular two week release cycle.