Category Archives: WordPress

Bulk Reports and Digests for Gravity Forms

Bulk Reports and Digests for Gravity Forms

I have written yet another Gravity Forms plugin/addon. This time the plugin was to generate bulk reports for form entries, digests of sorts. Based on a set schedule (which can be altered using the cron_schedules filter), this addon will aggregate all new form entries it hasn’t seen yet (including very old ones) and send them out to predefined e-mail addresses.

The whole thing works best with regular single-shot notifications turned off, probably.

Download it from github now.

Functions Deprecated in WordPress 3.4

Here’s a list of functions that are now deprecated in WordPress 3.4:

That’s it for deprecated functions. Check out a comprehensive list of changes here. Although WordPress is known to be highly back-compatible and the deprecated functions will be available for a long long time, developers are highly discouraged from using these in the future.

WordPress 3.4

Codename “Green”, WordPress 3.4 was announced yesterday, boasting flashy features and upgraded functionality.

WordPress 3.4

Lots of hard work involved, lots of excitement and most can’t wait to upgrade, including me. However, as much as I want to update to WordPress 3.4 and enjoy the new stuff, I find it difficult to do so in production right now. I’m sure WordPress 3.4 is fantastic, but it’s too early, there’s bound to be a WordPress 3.4.1 with security fixes (or at least hot fixes) sometime this year.

My suggestion is that unless you have a huge need for one of the new features just wait a bit, see how it behaves out in the wild, how it is targeted. At a little over 200,000 downloads and less than 24 hours out in the wild it’s too early to tell. I’ll personally wait a couple of months before upgrading in production.

Other than that, hurray! Off to play with the new XML-RPC methods.

WordPress trunk news #15, #16, #17

It’s been a while since news from the trunk have been published on my blog due to the lack of time on my part and the lack of substantially juicy stuff happening in the trunk. With WordPress 3.4 coming up most of the movement in the trunk is related to fixing bugs. So today’s post will combine the 15th, 16th and 17th editions of WordPress trunk news into one post.

WordPress trunk news 15, 16, 17

As of this day, there are 12 active tickets. And with WordPress’s 9th birthday earlier this week (yay!) here’s the latest news from the trunk.

Continue reading

Conditional Notifications Plugin for Gravity Forms

Gravity Forms is one of those plugins that many enjoy and make use of. A recent project of mine involved adding some functionality that seems as indispensable as conditional field logic – conditional notifications.

Based on the values of form fields selected notification settings are overridden, including e-mails and, more importantly content, and whether a notification is sent or not in the first place.

Gravity Forms Conditional Notifications

This Gravity Forms Addon allows users to select specific conditions that override the default notification settings. The first condition that is met will provide the settings that replace the ones that are set in the Notification area for a form. If no condition is met for a form the default Notification settings happen.

A fantastic use for this Gravity Forms Add-on would be to have an auto-responder setup for an inquiry form, where visitors select a predefined inquiry (although an FAQ would handle that in most cases). Applications to specific departments where a response arrives with that departments contact details, terms, working hours, or something. In short, should be quite useful.

Gravity Forms Conditional Notifications

Gravity Forms Conditional Notifications Add-on is available on Github.

WordPress trunk news #14

We’ve hit May 9th, the target release day of WordPress 3.4 two days ago, and quite expectedly WordPress 3.4 is still two steps behind release at beta 4 from last week. There are currently 19 active tickets that are awaiting resolution until release. Fear not, WordPress 3.4 RC1 will probably land this coming weekend, though. WordPress core development chat offers some great insights into what’s pending (“We went from 20 tickets…to 20. Go team. 😉rboren).

WordPress trunk news 14

Continue reading Repository List

The SVN server hosts some interesting repositories apart from plugins and themes, some of which are not too widely known, and might be considered to be obscure or not pertaining to WordPress in any direct way.

Here’s a list of some of the useful and intriguing ones:

Know of any other?

WordPress trunk news #13

First of all, WordPress 3.4 beta 4 has rolled out earlier this week. Only 23 tickets are open, which means that it’s almost there.

WordPress trunk news 13

So what’s new?

Continue reading

WordPress trunk news #12

No WordPress 3.4 updates this week, and the WordPress 3.4 beta 3 version is currently available. As per project schedule, the final two steps before WordPress 3.4 are release candidates RC1 and RC2. Target launch is May 9th.

At the time of writing, the WordPress 3.4 roadmap is at closed: 396 active: 92 total: 488 tickets, which is around 81% completed. Many XML-RPC privileges-type bugs fixed, we’ll probably be seeing more considering the terrific amount of new features in the XML-RPC server.

WordPress trunk news 12

And now to trunk, what’s changed?

Continue reading

Why the update, WordPress 3.3.2?

WordPress 3.3.2 maintenance release was announced yesterday. The changelog for WordPress 3.3.2 explains some of the changes and the changesets log pretty much displays all the changes done in 3.3.2.

WordPress 3.3.2

So what the heck happened there in terms of security?


WordPress 3.3.1 uses Plupload Version (2011-09-27), with latest Plupload at Version 1.5.4 you can see that much could and must have gone wrong between these two. By checking out the changelog, we find the following entries:

  • Fix potential vulnerability in dump.php and upload.php (too old)
  • Flash: Restrict scripting ability to swf’s own domain only
  • Revive temporary file removal logic in upload.php
  • and possibly some others

Contents of changesets can be seen here. Not sure what we’re really looking for at this point; the WordPress changeset appears to rely on the Plupload update solely. Neal Poole promises some information it seems, which makes it even more intriguing, could the problem be not (only) in Plupload?

One of the core files in the changeset seems to be capabilities.php and it has not changed… then there’s handlers.js, with up.removeFile(file); added… no other ideas, eagerly waiting for some details.


Another mystery, why are SWFUpload bugs reported to WordPress? There have been no updates to SWFUpload since September 2011 it seems. So what’s going on here? Can’t tell without decompilation of the SWF itself.


Changeset appears to be limited to encoding the MMredirect Flashvar, possibly related is a year-old Security Issue SDK-22303 revolving around XSS as well as this one. Latest version of SWFobject does not appear to have this change applied to it, last update was in June of 2009.

Limited privilege escalation

As the changeset shows, a non-network administrator in WordPress 3.3.1 can deactivate network-wide plugins. This is of limited use under most circumstances.


The make_clickable function grew in size to account for some edge case where XSS is possible in comment text.

Update: OK, so I updated to 3.3.2 and I’m still getting XSS’d from inside the comments, did I miss the point of it all or hit something else? Latest trunk with Twenty Ten/Eleven also allows script injection in comments. Whaaa…? I need to get some serious sleep, been up for over 30 hours. Enough monkey business for now.

Update: The farthest I got is injecting <a href=""></a> which produces an error on the page when clicked.

Update 2: A few hours of sleep works like magic. Turns out I was logged in as administrator. That’s how I got to inject JavaScript into comments.

So that’s pretty much why the sudden update besides the couple of fixes that made it with the release. It still doesn’t feel right…

Be on the lookout for the details behind the intriguing SWF updates. Bigups go to Neal Poole, Nathan Partlan, Szymon Gruszeck, Mauro Gentile, Adam Backstrom for the patience to disclose responsibly. Much love to the core and the security teams that make it of utmost importance to keep WordPress users safe. Thank you.