Last Friday we released Charitable 1.6.51, which fixes a critical security vulnerability affecting any website using Charitable. While we are not aware of any exploits of the vulnerability, we are urging everyone to upgrade to Charitable 1.6.51 as soon as possible.
For those using Charitable Ambassadors, version 2.1.8 was released yesterday, providing additional security fixes and updating is highly recommended. Charitable Recurring Donations 1.2.9 also has a small fix today related to form validation.
A bit of background
Last week, Charitable user Asif Minhas reached out to us about a Cross Site Scripting vulnerability. This vulnerability was limited in its severity, as it could only be exploited by users with the Campaign Manager role. This vulnerability has also been fixed in Charitable 1.6.51.
In the process of investigating this, we discovered a much more serious Cross Site Scripting vulnerability that could be exploited by anonymous users. The vulnerability was found on Thursday afternoon and on Friday evening we released Charitable 1.6.51.
There are a number of changes in Charitable 1.6.51 that may affect some users, which we will cover in a little more detail below.
Campaign Managers and the unfiltered_html capability
Charitable 1.6.51 removes the unfiltered_html capability from the Campaign Manager role. This means that Campaign Managers will not be able to add certain HTML tags such as <iframe> and <embed>, as well as Javascript code.
While there can be good reasons for Campaign Managers to have this role, we determined that the default in Charitable should be for this capability to only be available to Administrators. (WordPress also makes this capability available to the Editor role, but Editors are not able to create or edit campaigns, so this does not affect Charitable).
If you would like to continue providing Campaign Managers with the unfiltered_html capability, this can be achieved by using one of the role capability editor plugins listed at https://wordpress.org/support/article/roles-and-capabilities/#plugins.
Quick aside: As mentioned above, Editors and Administrators both have the ability to add unfiltered_html. If you would like to disable this altogether, you can do so by adding the following line to your wp-config.php file:
define( 'DISALLOW_UNFILTERED_HTML', true );Adding HTML to donation amount descriptions
Previously, when adding suggested donation amounts, it was possible to add HTML to the suggested donation amount descriptions. With Charitable 1.6.51, this will no longer be possible by default.
But if you really want to be able to add HTML to your suggested donation amount descriptions, you can re-enable this ability using the charitable_sanitize_suggested_amount_description filter, by simple adding the following to a custom plugin, your theme’s functions.php file, or with a plugin like Code Snippets:
add_filter( 'charitable_sanitize_suggested_amount_description', '__return_false' );Is it safe to do this? That depends on your situation. If the only people creating campaigns on your website are Administrators, then this should be fine. However, if you have Campaign Managers creating campaigns as well, or if you are using Charitable Ambassadors and campaign creators can set suggested amounts for their campaigns, be aware that this does allow those users to add HTML to their amount descriptions as well.
That said, even if you do turn off sanitization of the suggested amount descriptions, Charitable still ensures that no unsafe HTML is added, such as Javascript code, by filtering the content using wp_kses_post.
A final word
We’re sorry to everyone using Charitable for this security vulnerability. We’re disappointed and frankly more than a little bit embarrassed by this. We will continue to do our absolute best to make sure that Charitable is a simple, secure way for you to accept donations on your website.
Thank you to Asif Minhas, who reported the vulnerability related to Campaign Managers, and Robert Rowley from WPScan who was also in touch regarding the Campaign Managers issue.
If you have any concerns about this release or would like a hand with anything else related to Charitable, get in touch with us! We’re always happy to help.
If you have found a security vulnerability and would like to report it, please email us at [email protected].
Leave a Reply