Admin email in public HTML source code

New home Forums Pro Add-on General queries Admin email in public HTML source code

Tagged: ,

Viewing 15 posts - 1 through 15 (of 18 total)
1 2
  • Author
    Posts
  • November 21, 2016 at 1:37 pm #22259
    lichtteil
    Member

    Hi guys,

    i just got spam in connection to a domain of a website i created. I was wondering how the spammers could connect the domain with my email address and looked into the source code. To my surprise i found my admin email address in the wpgmaps JS settings ( wpgmza_settings_ugm_email_address ).
    I invested further and found the corresponding line in the wp-google-maps-pro.php.

    Next i used a search engine that searches the HTML source code and found 3775 websites exposing the admin email address because of WPGM…

    This is a really big privacy and security issue and should be fixed asap! I used version 5.71 (thats ne newest that i get via http://www.wpgmaps.com/get-updated-version/

    Please fix it asap.

    Cheers
    lichtteil

    • This topic was modified 6 years, 4 months ago by lichtteil.
    November 21, 2016 at 1:56 pm #22264
    SupportTeam
    Moderator

    Hi Lichtteil

    As mentioned in the WP.org topic, I sincerely apologize for this.

    I’m currently working on an alternative fix and will release this update shortly.

    November 21, 2016 at 2:20 pm #22269
    SupportTeam
    Moderator
    This reply has been marked as private.
    November 21, 2016 at 2:21 pm #22270
    SupportTeam
    Moderator
    This reply has been marked as private.
    November 21, 2016 at 2:25 pm #22272
    lichtteil
    Member
    This reply has been marked as private.
    November 21, 2016 at 2:45 pm #22274
    SupportTeam
    Moderator

    Hi Lichtteil

    Please confirm if you received my email containing the updated fix?

    November 21, 2016 at 2:47 pm #22276
    lichtteil
    Member

    Thanks for your email and the new version. I will try later and keep you updated.

    November 21, 2016 at 2:50 pm #22277
    SupportTeam
    Moderator

    Thank you very much. Looking forward to hearing from you.

    November 22, 2016 at 7:01 pm #22339
    kaffin8ed
    Member

    Hi Jarrd,

    Will this fix be made into a patch or updated download?

    Thank you,

    Tom

    November 22, 2016 at 8:41 pm #22341
    lichtteil
    Member

    Hi Jarryd,

    I tested the files you provided and they did not solve the issue. Thats how I tested:

    – Install blank WordPress
    – Install wpgmaps from wordpress.org and activate it
    – Upload wp-google-maps-pro and activate it
    – Insert shortcode to example post
    – Go to to wpgmaps settings and press Save (In that method the Email is written to the wpgmaps config)
    – Go to frontend and search html source code for wpgmza_settings_ugm_email_address

    Please have a look into wp-google-maps-pro.php on line 6403, you will see that the admin_email is stored in the $wpgmza_data array.

    Cheers
    Mario

    November 24, 2016 at 2:48 pm #22369
    SupportTeam
    Moderator

    Hi Mario

    The reference to $wpgmza_data is only made when saving the email address in the plugin’s settings.

    The array index ‘wpgmza_settings_ugm_email_address’ still appears on the page, however the value associated should be empty.

    Please confirm you installed the versions I sent you (Pro version 6.07 and VGM add-on 2.8) ?

    November 24, 2016 at 3:58 pm #22373
    lichtteil
    Member

    Hi Jarryd,

    I could solve the issue by installing wp-google-maps-ugm and then removing my email in the settings “Visitor Generated Marker Settings” -> “Email me whenever there is a new marker”.

    I never planned to use visitor generated markers thats why I didn’t have that plugin installed. The security and privacy issue is still present. The email field should not be pre-filled with the admin email when you don’t select that option, and more important: it should never be exposed to the frontend.

    Please read the code again, when there is no value give (e.g. because ugm is not installed) then the admin email address is written to the $wogmza_data array.

    if (isset($_POST['wpgmza_settings_ugm_email_address'])) { $wpgmza_data['wpgmza_settings_ugm_email_address'] = esc_attr($_POST['wpgmza_settings_ugm_email_address']); } else { $wpgmza_data['wpgmza_settings_ugm_email_address'] = get_option('admin_email'); }

    Cheers
    Mario

    December 8, 2016 at 8:56 am #22636
    SupportTeam
    Moderator

    Hi Mario

    We’ve tested this on numerous occasions and can confirm that the email address no longer displays on the front end in the source code.

    The admin’s email address is stored by default, yes, however this does not show on the front end in the latest versions of the plugin.

    April 22, 2017 at 8:00 am #26318
    jawadh90
    Member

    Hi Jarryd,

    I purchased 6.13 version yesterday and seems that the issue has come back. Email address shows up in wpgmza_settings_ugm_email_address. Can you please help me fix this issue?

    Thanks

    April 23, 2017 at 2:27 am #26336
    jawadh90
    Member

    Here is a quick fix if anyone else having issue with it.

    1) File wp-google-maps-pro.php line 7131, remove get_option(‘admin_email’) and replace it with ‘0’. Save the file
    2) Go to settings/InfoWindow, select Infowindow Style and save.

  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 18 total)
1 2
  • You must be logged in to reply to this topic.