Log Emails security fix

Log Emails v1.1.0 has just been released. This release contains an important security fix, as well as some other changes.

Plugin Vulnerabilities contacted me today to responsibly disclose a security problem with Log Emails. They discovered that any logged-in user could see any email log or other post by guessing a post ID and using that ID in the log view page. Thanks for letting me know first, so that I could get out a fix!

It was suggested to me that this plugin should warn when emails don’t have some required fields, since this is a development / analysis plugin. This release adds a Warnings column that tells you when an email is missing sender, recipients, subject, or body.

Also since this plugin is used for email analysis, I’ve implemented a suggestion from Hrohh and no longer allow WordPress to sanitise the email body when saving it to the log. But don’t panic! The log view page sanitises the content before displaying it, so it’s safe!

There have also been some layout fixes to the log list, and Hrohh suggested some CSS fixes to improve the display of logged email content.

You can update to the latest version from your WordPress plugin admin page. Here’s the full changelog for Log Emails.

Posted on