Urgent Update

If you are using a version of the church admin plugin older than 0.810, please update immediately!
Two security vulnerabilities to older versions have been discovered – one of which has a “proof of concept” youtube video public.
Essentially, people with more time and less godliness than they would have in Christ, could insert some Javascript code into the address field of the [church_admin_register] shortcode when they fill the form in or into the “new sermon series” input field in the sermon podcast admin area.

Potentially that could be used to steal cookies and fake your login. It’s called a “Stored XSS vulnerability”

v0.810 stops that and renders any previous attempts harmless.

There’s no evidence that anyone has used the exploit yet, but now it’s public, they may on your site if you don’t update now! Please update even if you don’t use those features as v0.810 has been thoroughly checked for that vulnerability in all it’s features.

Urgent Update

Please update your church admin plugin to the latest version 0.5968 ASAP
Previous versions have created a plugin database backup in case of problems, with a message to download and delete it.

message

Someone kindly pointed out a number of sites where the backup hadn’t been deleted by the user. That means personal data can be downloaded by people who know where it is.

V0.5968 deletes the file if it exists and then recreates the backup with a very hard to guess filename.
It’s always worth downloading and then deleting the file, so no personal data is accessible.