Gravity Forms v1.9.4 is now available via automatic update and the customer downloads page. This is a maintenance and security release and we recommend users update as soon as possible.
This release includes a fix for a blind SQL injection vulnerability similar to the issue recently fixed in other popular WordPress plugins such as WPSEO, WooCommerce, and PODS. The scope of this vulnerability was limited to functionality within the Gravity Forms admin by a user within sufficient privileges to view and edit forms within the WordPress Dashboard. By default this vulnerability could only be exploited by a WordPress user with admin privileges to your site and could not be exploited anonymously from the frontend.
Security is extremely important, which is why we preach always keeping WordPress up to date. It is also why we are utilizing security service Acunetix to scan for potential vulnerabilities directly within our source control system so that any potential issues can be found and corrected immediately.
We recommend users enable background automatic updates within the Gravity Forms Settings so that updates such as this may be applied automatically.
What’s New in Gravity Forms v1.9.4
- Added 2 new ready classes: gf_simple_horizontal and gf_section_right.
- Added logging for $phpmailer->ErrorInfo.
- Updated the Number field to include the thousands separator when returning a validation failure if the input type is ‘text’. Some browsers do not allow commas when using the HTML5 ‘number’ input type.
- Updated number formatting to include the thousands separator on the entry list and detail pages and when merge tags are processed. The :value modifier will return the value without the thousand separator.
- Fixed security issue in the import process of legacy forms on some systems.
- Fixed an issue with GFCommon::format_number using the currency defined on the Forms > Settings page instead of the currency used with the entry which resulted in the number being incorrectly formatted when using the third-party Gravity Forms Multi Currency add-on.
- Fixed an issue with conditional logic not updating the enhanced UI after resetting the value of the underlying select element.
- Fixed a security vulnerability in the admin area that could be exploited by users with permission to edit forms in the WordPress Dashboard which is admin only by default. Credit: 10up.
- Fixed a security vulnerability for forms that require login. Caching pages with forms that require login will now cause submissions to fail.
- Fixed issue with chosen sprite file name. Renamed it to prevent issues on some server configurations.
- Fixed calculations in the the post custom field when when the input type is set to number and calculations are enabled.
- Fixed an issue with the ID attributes of the left span elements of Email and Password fields.
- Fixed an issue with the field label for attribute in the form editor containing an extra underscore.
Add-On Framework Updates in Gravity Forms v1.9.4
- Updated logging in GFPaymentAddOn.
API Updates in Gravity Forms v1.9.4
- Fixed an issue that could potentially pose a security vulnerability via third-party add-ons and custom code.
- Fixed a warning generated in the results endpoint when there are no entries.
You can update to the latest version of Gravity Forms using Automatic Update. Just visit the Updates page under the Forms navigation in your WordPress Dashboard. Update deployment is staged so if you do not see the update available, try again in a few hours. You can also download the latest version of the plugin from the Downloads page.