Subscribe2 v8.2

Version 8.2 of the Plugin will hopefully be available for download soon. This version has been tested on WordPress 3.3.1. It requires at least WordPress 3.1.

Update: After a terse apology for the delay but no explanation why it’s taken them so long my plugin is finally re-listed on WordPress.org. Given the fact it contains a trivial security update it would be wise to upgrade, especially if you have several authors or administrators on your blog.

Version 8.2 contains the enhancements and bug fixes listed below include fixes for a minor security vulnerability (see below for more details).

If you use this plugin and find it useful please give it some positive feedback! Visit the WordPress.org site and give it a rating, tell me it works in the compatibility section and maybe consider making a donation to support future development!

An HTML version of the plugin that emails an HTML email to Public Subscribers is available here.


This version contains the following bug fixes and improvements:

  • Implemented use of Farbtastic as colour chooser in the Counter Widget because ColorPicker has been deprecated in WordPress
  • Fixed one hook call in WordPress to pass $this variable by reference to save a little more RAM
  • Fixed Subscribe2 implementation of custom taxonomies
  • Fixed Bulk Management Format Change code to apply for all users
  • Fix for low impact security vulnerability

Security Vulnerability

Without any prior warning I received an email at noon today my time advising me that Subscribe2 had been “temporarily withdrawn” from the WordPress plugin site due to an “exploit report”. This email asked for my attention and / or response. Despite being at work (I don’t work in the computer industry) I manage to find time to take a look.

As far as I can tell, each of the three exploits described require a user to be logged in to the WordPress admin area and enter specific code into some text inputs to be able to execute client side javascript on their own machine. I responded within half an hour of the email informing the WordPress team that I considered the risk and impact to be very low indeed; I mean why would you want to use WordPress to apply a javascript hack to your own machine?!?

In 8 and a half hours I have had no further emails from the WordPress people but have now applied a fix for these “vulnerabilities”. I don’t know when you’ll be allowed to access it.