Caldera Forms 1.5.5 has been released. It includes a security fix to prevent an XSS vulnerability reported responsibly by Will Brand. The details will be included in a CVE on WPVulnDB. While this is not a severe security issue and would be very difficult to exploit, we recommend all users update immediately.
This update also fixes a few important bugs:
- Star fields set to be required could be submitted with no value in some browsers, including Firefox. Validation of these fields has been improved.
- Some field configurations led to 502 errors on WPEngine when the object cache was used. Field sync objects are no longer cached in the WordPress object cache.
- The email settings screen was not showing. It works again.
- The caldera_forms_pre_load_processors action ran twice. The second use is now renamed to caldera_forms_post_load_processors.
- An edge-case causing false positives in the honey pot anti-spam in very rare scenarios caused false positives. A fix to prevent this issue is in place.