Gravity Forms version 1.9.4 is now available through automatic updates and the customer downloads page. This release focuses on maintenance and security improvements, making it crucial for users to update promptly.

Key Security Update

This release addresses a blind SQL injection vulnerability similar to those recently fixed in popular WordPress plugins such as WPSEO, WooCommerce, and PODS. The vulnerability was restricted to Gravity Forms’s admin functionality, requiring admin-level access within the WordPress Dashboard. It could not be exploited anonymously from the front end.

To ensure security remains a top priority, we have integrated the Acunetix security service into our source control system. This integration helps promptly identify and resolve potential vulnerabilities.

Recommendations

We strongly recommend enabling automatic background updates in the Gravity Forms Settings to ensure seamless update application and enhanced security.

What’s New in Gravity Forms v1.9.4:

  • New Features:
    • Added two new ready classes: gf_simple_horizontal and gf_section_right.
    • Included logging for $phpmailer->ErrorInfo.
  • Enhancements:
    • The Number field now includes the thousands separator when returning a validation failure if the input type is ‘text’, addressing browser restrictions on the HTML5 ‘number’ input type.
    • Updated number formatting to include the thousands separator on the entry list and detail pages during merge tag processing. The: value modifier returns the value without a thousand separators.
  • Security Fixes:
    • Resolved security issues in the import process of legacy forms on specific systems.
    • Fixed a vulnerability in the admin area that required permission to edit forms, typically restricted to admin-level users. Credit: 10up.
    • Addressed a vulnerability for forms requiring login, ensuring submissions fail when caching pages with such forms.
    • Resolved a security issue posing a risk via third-party add-ons and custom code.
  • Bug Fixes:
    • Corrected an issue where GFCommon::format_number used the currency defined on the Forms > Settings page instead of the currency used with the entry, causing incorrect number formatting when using the Gravity Forms Multi-Currency add-on.
    • Fixed a problem with conditional logic failing to update the enhanced UI after resetting the value of the underlying select element.
    • Addressed a JavaScript error on the edit page for certain custom post types lacking an editor.
    • Corrected the chosen sprite file name issue to mitigate potential problems on specific server configurations.
    • Fixed calculations in the post-custom field when the input type is set to number and calculations are enabled.
    • Fixed issues with the ID attributes of left-span elements of the Email and Password fields and the field label for an attribute in the form editor containing an extra underscore.
  • Add-On Framework Updates:
    • Enhanced logging in GFPaymentAddOn.
  • API Updates:
    • Fixed a warning generated in the results endpoint when no entries exist.

How to Update

You can use the Automatic Update feature to update the latest Gravity Forms version. Navigate to the Updates page under the Forms section in your WordPress Dashboard. Update deployment is staged, so if the update isn’t immediately available, try again in a few hours. Alternatively, you can download the latest version of the plugin from the Downloads page.

Keep your site secure and up-to-date by installing Gravity Forms version 1.9.4 today.

Leave A Comment

about SpiderSavvy

We build robust WordPress solutions, leveraging our design, technology, and strategy expertise to deliver game-changing outcomes for your organization.