Blog Post

GD Mail Queue Pro 5.5 and Lite 4.0

Both Pro and Lite versions of the GD Mail Queue plugin have been released with significant updates and changes, including changes and fix related to unauthenticated stored cross-site vulnerability.

This new release for both Pro and Lite editions is highly important because it includes some core changes to how the plugin handles emails from now on. All these changes are prompted by the potential security vulnerability recently discovered and reported by Wordfence, where email passing through the system could contain malicious JavaScript code that will get stored in the database and, when displayed, can trigger the execution of that code. How would such emails be interpreted in the first place? Currently, some contact form plugins do not sanitize email content, and the front-end contact form can be used to pass malicious code via email.

So, suppose you use the HTMLfy feature in the GD Mail Queue. In that case, plain text that needs to be turned into HTML email will be passed through the wp_kses function that will allow only the selected list of HTML tags and attributes, eliminating the SCRIPT tag and other stuff that can be used for malicious purposes. There is a new option to control this process, and you can even strip any HTML from plain text if you want to.

The email subject will also be processed, and its HTML will be stripped. And finally, the data will be checked before storing it in the log to ensure that KSES is run too. When it comes to the Log panel where the emails are displayed, all the relevant elements will be escaped for the display, and if old emails in the log had some stored SCRIPT tags, they would be neutralized on display.

What does all this mean for everyday use? All emails will be sanitized regardless of the email source, which will stop any malicious code. Emails will be processed to remove any HTML that should not be allowed anyway, and the email subject will no longer allow HTML (the email specifications don’t allow HTML in the subject anyway). Plugin has a few filters in place to further control this sanitization process.

This version has new system requirements and a lot of small code improvements, starting the process of code modernization, which will be coming in future versions. Check the plugin changelog for more details.

To see the list of all the changes in this version, please check out the changelog. If you find any issues with the new version, please, report them in the support forums.

Please wait...
GD Mail Queue Pro plugin for WordPress
Queue based, enhanced email sending system

Intercept wp_mail function, convert emails to HTML and implements flexible mail queue system for sending emails, with support for email sending engines and services.

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

license management

License Code Validation and Management

Dev4Press License validation system updates will soon be deployed, including license code management via the Dev4Press Account Dashboard. All updates will be deployed on April 14, 2024.
panel options

In Development: SweepPress Pro 5.0 and Lite 3.0

In about two weeks, brand new, significant updates to SweepPress Pro and Lite plugins will be released, bringing several game-changing features to WordPress cleanup and maintenance tools already included.

GD Press Tools Pro 6.3

The new major release for GD Press Tools Pro, version 6.2 is here, and it brings some major changes. First of all, the plugin has two addons less, one addon is added and one more addon has been deprecated (but still included for now).

Leave a Comment

Grammarly - Number 1 Writing App
WP Rocket - Make WordPress Load Fast in a Few Clicks