PeepSo 7.0.4.3 has just been released, and it includes a critical security update. If you’re using an earlier version, we strongly recommend updating immediately.

This release addresses a vulnerability that, in rare and specific circumstances, could allow an attacker to log in as any user on your site — including administrators.

The issue has been fully resolved in version 7.0.4.3, but older installations remain at risk. To ensure your site’s security and integrity, please update as soon as possible.

Security

This vulnerability was present in the core of the login and registration processes. We can’t go into details not to expose websites running on older PeepSo versions. This vulnerability was discovered by us, not third party researchers, so to best of our knowledge nobody else has a replication scenario.

Critical vulnerabilities can be found at any point in pretty much any software, that’s whhy it is important to stay up to date.

Paid Memberships Pro

We improved the redirect logic when trying to join a PeepSo group paywalled with PMP. If the group belongs to multiple memberships, we will redirect to the memberships page, filtered down to the memberships containing that group. But if the group only belongs to one membership, we will redirect straight to that membership page, to eliminate an unnecessary step.

Admins now get have an option to be warned in the administration area when groups are linked to multiple membership levels, to cover for scenarios where PeepSo groups are supposed to belong to only one membership / add-on memberships.

Other improvements

We fixed an issue with registration not allowing the user to continue if the passwords were simultaneously configured with custom strength rules and disabled in registration. Our script tried to verify security for password fields that were not there.

Some missing/broken strings reported by translators were fixed, and we shipped a Croatian translation created by the community.

Reported issues with WooCommerce distraction-free checkout rendering unexpectedly within PeepSo content (instead of header) were addressed as well.

Summary

While this release ships some great e-commerce improvements, the most important part is the security fix. While relatively hard to replicate and – as far as we know – not public knowledge, it does open an avenue for a skilled hacker to take over a website. Please update as soon as possible and as always, preferably test the update on a staging site or at least have a backup at hand, just in case.

If you have any additional questions of concerns, contact us.

Make Your Community Mobile

PeepSo now offers a seamless solution to transform your PeepSo-based community into a powerful mobile app. No third-party integrations needed.

Everything you need to create, manage, and grow your mobile community is built directly by us for You and Your Community. Imagine the unlimited access to Your Community in the palm of your hand.

See Pricing

Brought to you by Eric Tracz

I’m a Digital Nomad currently living in Manila, The Philippines. Co-Founder and CEO of PeepSo.com. First time WordCamp Speaker at WordCamp Kuala Lumpur 2017, WordCamp Singapore 2019 and hoping to speak more soon. I started my journey with open source nearly a decade ago as a simple support guy. Joomla! was my first encounter with the world of Open Source. After that period of my life got phased out I fell in love with WordPress and never left. I have been both lucky and at the same time I worked my ass off to get to where I am right now. Free time, if I have any, is usually spent with my wife and / or travel around South-East Asia. Even when I’m supposed to be on a little vacation, not a day goes by when I don’t check up on PeepSo. So far visited or lived in: Hungary, Czech Republic, Slovakia, Indonesia, Malaysia, Singapore, Hungary, Vietnam, Cambodia, Laos, Thailand, China, Japan, Maldives, Sri Lanka, Myanmar, Norway, Germany, Scotland, England and more… Whenever possible, I jump on my Ducati Monster and just ride.