Earlier today I was informed by WordFence of a security issue in Caldera Forms, which they have classified to be of medium severity. This issue does not affect the security of your site, but if exploited could lead to exposure of sensitive data stored in form entries. We take your privacy very seriously.
I’d personally like to apologize to all of our users for allowing this to happen. I also ask that you understand that software is made by humans, and humans make mistakes.
Upon being informed of this problem I corrected it and contacted the WordPress security team and informed them of the issue and our fix. They have agreed to push an automatic update of Caldera Forms, for users on Caldera Forms 1.3.2 or later, which has already begun. Once the automatic update started I pushed the fix to Github, so that all users would have access to it.
We strongly recommend that all users update to 220.127.116.11 or 1.3.6-b3. Users on 1.3.2 through 18.104.22.168 you will receive a minor update that has the last version in that cycle, with the security fix. Users of 1.3.5.x will receive the latest version, which has the fix.
I appreciate WordFence practicing responsible disclosure. I also want to thank Dion Hulse, a lead developer of WordPress, for getting back to us very quickly and making the automatic update possible.