Update March 13, 2019: Sucuri has published details of this vulnerability.
This update includes an important SECURITY fix that affects some Pro customers. If you do not have Caldera Forms Pro API keys activated, this issue does not affect you. Please contact support if you are a paying customer and have questions.
Details About Security Issue
This issue was discovered by Sucuri and responsibly disclosed to us by them. We expect Sucuri to publish details on their blog in a reasonable amount of time and we trust their judgement.
Are You At Risk?
This is only an issue if you have Caldera Forms connected to the Caldera Forms Pro API.
What Can You Do?
Update to Caldera Forms 1.8.2. You can also use WP Rollback to update to 1.7.7, which is also available today.
Other Fixes
- Javascript error when Caldera Forms and WordPress SEO by Yoast or Jetpack’s map module were used together.
- Conditionals were missing when variable pricing form template was used.
- Prevent form from attempting to render if it doesn’t exist, before that triggers a PHP notice.
- Consent field, with some settings, created a PHP notice.
- Datepicker did not look functional on some devices.
- Rangeslider fields, when used in calculations, caused UI lags.