WP-Members 2.8.10 was released today. This was an unexpected, but important security update.
Some of you may have noticed that for a period of time today, WP-Members was unavailable in the wordpress.org repository. This was because there was a security vulnerability discovered in the plugin. It is the policy of wordpress.org to remove any plugin that has a vulnerability until that issue is resolved.
I was notified of this issue at approximately 10:40 central time today. By 12:30, I had created a patch which was tested and loaded to the repository by 2:00. The plugin team at wordpress.org tested this new version and restored the plugin to the repository by 8:00.
I appreciate the prompt communication from the wordpress.org team. We all take security seriously and their prompt contact with me allowed for a very quick turnaround in getting this fix out the door.
You might be wondering if you are affected by the vulnerability. The issue actually only affects those users that use the WP-Members custom fields on the WordPress default backend registration (wp-login.php?action=register) instead of the plugin’s default frontside registration. Since this is a feature that was only recently added specifically for users who did not read the plugin’s installation instructions, I suspect that this is only used by a small number of users (especially since the plugin’s default installation gives you a message to turn this off).
Regardless, I still recommend the update.
If you have any questions, please contact me.