Posted on

WordPress Locator Improves Email Link Security

SLP4 Banner

Store Locator Plus version 4.2.27 has been released with a focus on improved email link security.

Upgrade To SLP 4.2.27 Now – Prevent Spam

The current release of Store Locator Plus removes the send-email script from the product due to security concerns.  If you are running any version of Store Locator Plus between version 2.1 and version 4.2.26 you are potentially allowing spammers to use your Store Locator Plus installation to send spam through your server.    A script the takes advantage of a loophole in the WordPress nonce controls has been forwarded to CSA by a security expert that provides an example of how a third party can grab the nonce and leverage this to send email through the send-email.php script to/from any email address they choose.  This script is published online though it has not yet been announced to the general public.    SLP 4.2.27 removes this vulnerability completely from the base plugin AND prevents a similar hacking methodology from being employed when using the new Enhanced Results popup email form that is coming out this week.

If you are using a version of the popup email forms from older versions of the Pro Pack, the email forms will no longer function due to the closure of this security vulnerability.    The new Enhanced Results popup email form provides more form control options, is a modal JavaScript dialogue box, and protects the email addresses of your location contacts from being exposed on the locator interface.

Other Notable Updates

In past releases of the base plugin, any locations that included a contact email address would display the address as a basic mailto: hyperlink is the map results with the email address rendered in plain text in the map results.    Sites that displayed location results by default, which is the preferred setting on most locator websites, would be prone to page scrapers that could collect these email addresses.

Store Locator Plus version 4.2.27 has replaced the plain text email address output with the word “email” that is linked to the email address.   The label that is used can be changed via the User Experience / Results tab to be any text the site administrator chooses.    Not the most secure way to prevent page scraping but an improvement.  However, the 4.2.27 release also lays the foundation for the imminent Enhanced Results update.    The forthcoming Enhanced Results update provides several email link rendering options including a way to revert to the legacy “show the email address in the results” option (how version 4.2.26 and earlier worked) as well as a completely revamped popup email form that eliminates some additional security issues that were present in the prior iteration of the popup email system that has been in place for the past 3 years.

In addition, Store Locator Plus 4.2.27 removed the hard-coded JavaScript email form which reduces the browser memory consumption for site visitors that used the store locator.   The new form implementation allows for more control and better interface designs in the future without having to modify inline JavaScript files.    New forms can be augmented via standard WordPress filters in PHP.

Other updates to Store Locator Plus 4.2.27 include further refinements to the add-on framework with embedded methodologies for deploying custom locator-specific JavaScript from within add-ons, better user interface controls, more WPML integration element for multi-lingual support, AJAX framework updates, and more hooks-and-filters that allows for the add-on packs to do more through the base plugin with less memory consumption and simpler code design.

Look for more updates to the add-on packs as they leverage the new add-on framework improvements.    If you are a Premier Subscriber you can also expect to see several new add-on packs in 2015.

Store Locator Plus Changelog