What Happened: On the morning of October 29th, 2020, the weForms team was made aware of a vulnerability in our plugin where logging was posting sensitive information to a file that could be accessed from the front end of the website.
What We Did: Immediately after we were made aware of the issue, it was escalated to our development team, who pushed a fix within hours, and now the patch is in place for weForms free version 1.5.5 that exists in the WordPress repository. The patch disables the functionality that writes the log file and prevents the file creation. It deletes the existing file for any user where it exists.
What You Need to Do: Now that we have released the patch that fixes the vulnerability, we urge you to update your plugin via WordPress Dashboard>Plugins or by the WordPress repository as soon as possible. This update will work for all users – free and paid. We will restore any disabled logging and debugging functionality in an upcoming release. Once you update, rest assured the root of the problem has been addressed.
Thank you for promptly updating your plugin. If you have any concerns or if you have any additional questions, please reach out to support directly.