Headline
CVE-2022-29442: Private Messages For WordPress
Authenticated (subscriber or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Messages For WordPress <= 2.1.10 at WordPress.
- Details
- Reviews
- Support
- Development
This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.
Wasn’t getting email notifications when a message was sent to inbox. Found in send-page.php (plugins/pm4wp/inc/send-page.php) the following code… $recipient_email = $wpdb->get_var( “SELECT user_email from $wpdb->users WHERE display_name = '$rec’” ); …on line 120 needed to be changed with… $recipient_email = $wpdb->get_var( “SELECT user_email from $wpdb->users WHERE user_login = '$rec’” ); …as it was trying to pull with username, not display name. Hope this helps anyone running into the same issue.
Read all 11 reviews
“Private Messages For WordPress” is open source software. The following people have contributed to this plugin.
Contributors
- Anh Tran