New home › Forums › Pro Add-on › General queries › Admin email in public HTML source code
- This topic has 17 replies, 4 voices, and was last updated 6 years, 5 months ago by jawadh90.
-
AuthorPosts
-
November 21, 2016 at 1:37 pm #22259lichtteilMember
Hi guys,
i just got spam in connection to a domain of a website i created. I was wondering how the spammers could connect the domain with my email address and looked into the source code. To my surprise i found my admin email address in the wpgmaps JS settings ( wpgmza_settings_ugm_email_address ).
I invested further and found the corresponding line in the wp-google-maps-pro.php.Next i used a search engine that searches the HTML source code and found 3775 websites exposing the admin email address because of WPGM…
This is a really big privacy and security issue and should be fixed asap! I used version 5.71 (thats ne newest that i get via http://www.wpgmaps.com/get-updated-version/
Please fix it asap.
Cheers
lichtteil- This topic was modified 6 years, 10 months ago by lichtteil.
November 21, 2016 at 1:56 pm #22264SupportTeamModeratorHi Lichtteil
As mentioned in the WP.org topic, I sincerely apologize for this.
I’m currently working on an alternative fix and will release this update shortly.
November 21, 2016 at 2:20 pm #22269SupportTeamModeratorThis reply has been marked as private.November 21, 2016 at 2:21 pm #22270SupportTeamModeratorThis reply has been marked as private.November 21, 2016 at 2:25 pm #22272lichtteilMemberThis reply has been marked as private.November 21, 2016 at 2:45 pm #22274SupportTeamModeratorHi Lichtteil
Please confirm if you received my email containing the updated fix?
November 21, 2016 at 2:47 pm #22276lichtteilMemberThanks for your email and the new version. I will try later and keep you updated.
November 21, 2016 at 2:50 pm #22277SupportTeamModeratorThank you very much. Looking forward to hearing from you.
November 22, 2016 at 7:01 pm #22339kaffin8edMemberHi Jarrd,
Will this fix be made into a patch or updated download?
Thank you,
Tom
November 22, 2016 at 8:41 pm #22341lichtteilMemberHi Jarryd,
I tested the files you provided and they did not solve the issue. Thats how I tested:
– Install blank WordPress
– Install wpgmaps from wordpress.org and activate it
– Upload wp-google-maps-pro and activate it
– Insert shortcode to example post
– Go to to wpgmaps settings and press Save (In that method the Email is written to the wpgmaps config)
– Go to frontend and search html source code for wpgmza_settings_ugm_email_addressPlease have a look into wp-google-maps-pro.php on line 6403, you will see that the admin_email is stored in the $wpgmza_data array.
Cheers
MarioNovember 24, 2016 at 2:48 pm #22369SupportTeamModeratorHi Mario
The reference to $wpgmza_data is only made when saving the email address in the plugin’s settings.
The array index ‘wpgmza_settings_ugm_email_address’ still appears on the page, however the value associated should be empty.
Please confirm you installed the versions I sent you (Pro version 6.07 and VGM add-on 2.8) ?
November 24, 2016 at 3:58 pm #22373lichtteilMemberHi Jarryd,
I could solve the issue by installing wp-google-maps-ugm and then removing my email in the settings “Visitor Generated Marker Settings” -> “Email me whenever there is a new marker”.
I never planned to use visitor generated markers thats why I didn’t have that plugin installed. The security and privacy issue is still present. The email field should not be pre-filled with the admin email when you don’t select that option, and more important: it should never be exposed to the frontend.
Please read the code again, when there is no value give (e.g. because ugm is not installed) then the admin email address is written to the $wogmza_data array.
if (isset($_POST['wpgmza_settings_ugm_email_address'])) { $wpgmza_data['wpgmza_settings_ugm_email_address'] = esc_attr($_POST['wpgmza_settings_ugm_email_address']); } else { $wpgmza_data['wpgmza_settings_ugm_email_address'] = get_option('admin_email'); }
Cheers
MarioDecember 8, 2016 at 8:56 am #22636SupportTeamModeratorHi Mario
We’ve tested this on numerous occasions and can confirm that the email address no longer displays on the front end in the source code.
The admin’s email address is stored by default, yes, however this does not show on the front end in the latest versions of the plugin.
April 22, 2017 at 8:00 am #26318jawadh90MemberHi Jarryd,
I purchased 6.13 version yesterday and seems that the issue has come back. Email address shows up in wpgmza_settings_ugm_email_address. Can you please help me fix this issue?
Thanks
April 23, 2017 at 2:27 am #26336jawadh90MemberHere is a quick fix if anyone else having issue with it.
1) File wp-google-maps-pro.php line 7131, remove get_option(‘admin_email’) and replace it with ‘0’. Save the file
2) Go to settings/InfoWindow, select Infowindow Style and save. -
AuthorPosts
- You must be logged in to reply to this topic.