Caldera Forms 1.6.1.1

Catdera Caldera Forms Banner

This is a security update. This fix was applied to versions 1.6.0 and 1.6.1 and is also in the new version 1.6.1.1.

Please note: If you do not have a magic tag in your success message, which is not a default setting, this issue does not affect you. We still recommend keeping your plugins up to date.

Bottom line: I missed something. That’s my mistake and I apologize. – Josh

More Detials

This release is an additional fix for CVE-2018-7747 . I was alerted earlier today that there was one remaining problem that did not get fixed. The security issue that we disclosed two weeks ago is called a stored XSS vulnerability. In simpler terms that means that there was a way to use Caldera Forms to store some JavaScript that could be triggered to run later.

In Caldera Forms 1.6.0 I used a function that removes all JavaScript on the output that was previously exploitable. That prevented the stored JavaScript from running. Since exploiting a stored XSS vulnerabilities is a two step processes — store and then retrieve later — this update prevents the issue from being exploited in the future.

Caldera Forms 1.6.1.1 adds the same protection in one more location and prevents the behaviour that was shown to me today.

What You Should Do

Again, if you do not have a magic tag in your success message, which is not a default setting, this issue does not affect you. Still, you should keep your plugins up to date.

  • Update to Caldera Forms 1.6.1.1 through WordPress now. This update was done to trigger update notices.
  • You can also use WP Rollback to re-install 1.6.0 or 1.6.1, which have the fix.