Store Locator Plus version 4.2.27 has been released with a focus on improved email link security.
Upgrade To SLP 4.2.27 Now – Prevent Spam
The current release of Store Locator Plus removes the send-email script from the product due to security concerns. If you are running any version of Store Locator Plus between version 2.1 and version 4.2.26 you are potentially allowing spammers to use your Store Locator Plus installation to send spam through your server. A script the takes advantage of a loophole in the WordPress nonce controls has been forwarded to CSA by a security expert that provides an example of how a third party can grab the nonce and leverage this to send email through the send-email.php script to/from any email address they choose. This script is published online though it has not yet been announced to the general public. SLP 4.2.27 removes this vulnerability completely from the base plugin AND prevents a similar hacking methodology from being employed when using the new Enhanced Results popup email form that is coming out this week.
Other Notable Updates
In past releases of the base plugin, any locations that included a contact email address would display the address as a basic mailto: hyperlink is the map results with the email address rendered in plain text in the map results. Sites that displayed location results by default, which is the preferred setting on most locator websites, would be prone to page scrapers that could collect these email addresses.
Store Locator Plus version 4.2.27 has replaced the plain text email address output with the word “email” that is linked to the email address. The label that is used can be changed via the User Experience / Results tab to be any text the site administrator chooses. Not the most secure way to prevent page scraping but an improvement. However, the 4.2.27 release also lays the foundation for the imminent Enhanced Results update. The forthcoming Enhanced Results update provides several email link rendering options including a way to revert to the legacy “show the email address in the results” option (how version 4.2.26 and earlier worked) as well as a completely revamped popup email form that eliminates some additional security issues that were present in the prior iteration of the popup email system that has been in place for the past 3 years.
Look for more updates to the add-on packs as they leverage the new add-on framework improvements. If you are a Premier Subscriber you can also expect to see several new add-on packs in 2015.