Mail On Update
[resolved] E-Mail Addresses resetet on update to newest version (18 posts)

  1. dmsolutions
    Posted 3 years ago #

    Since Update on Version 5.2.0 all E-Mail adresses are resetet to the WordPress Admin E-Mail and there also is no field anymore to change the notification address.

    Best regards


  2. kubi23
    Plugin Author

    Posted 3 years ago #

    That is correct. Please check the changelog.

  3. dmsolutions
    Posted 3 years ago #

    You mean this comes from version 5.0:

    - Notification is only send to users with update permission

    Is there any chance to set a notification to another mail adress than to send the notification to all admin users? We have some blogs with about 15 admin users but they should not get informed everytime there is an update.

  4. kubi23
    Plugin Author

    Posted 3 years ago #

    Sorry, just saw that i missed the notice in the changelog.

    The changes came with 5.2.0
    - Fixed slightly possible CSFR Bug

    The "Fix" was to remove the possible to speicify other e-mail adresses for recievers. As of version 5.2.0 the notification will go to all admin users.

  5. joelkriteman
    Posted 3 years ago #


    Can I just double check please?

    Your recent fix has removed the functionality to specify additional email addresses to be notified.

    You have said:

    As of version 5.2.0 the notification will go to all admin users.

    Does this mean that anybody who is set as "administrator" should get email notifications?

    I have several sites where I installed your plugin and it seems that whichever email address is in the email box on the WordPress settings page will get notifications (regardless of user level) and nobody else even if other people do have the administrator access level.

    I usually put a client's own email address in there so that they get notified about comments etc but would want plugin update emails to come to me.

    Do you have any plans to fix it again / further please?



  6. kubi23
    Plugin Author

    Posted 3 years ago #


    The implementation after the fix greps the wp-option get_option("admin_email"); and sends the notification to this address. Per WordPress Codex this "Retrieves the e-mail of the blog administrator".

    Currently I have no time to refactore the function to its original handling with custom email addresses.

    You can of course downgrade to 5.1.0 - check the CVE (http://www.openwall.com/lists/oss-security/2013/05/16/8) if you can live with that.

  7. joelkriteman
    Posted 3 years ago #

    Thanks kubi.

    Not sure if I could ;-)

    I like up to date plugins - hence why I used your plugn!

    Thanks anyway


  8. worthdesigning
    Posted 3 years ago #

    Same issue here too.
    I was wondering why I wasn't getting email updates.

    Have to create some new admins on my sites now.
    If you can add back that functionality - choose where the emails go - that would be great.

    But great plugin - thanks

  9. cr33dog
    Posted 3 years ago #

    This little workaround mails all admins, around line 195:

    function mailonupdate_listOfCommaSeparatedRecipients() {
    			//return get_option("admin_email");
    			$emails = array();
    			$admins = get_users('role=administrator');
    			foreach ($admins as $admin){
    				array_push($emails, $admin->user_email);
    			return implode($emails, ',');
  10. pulk99
    Posted 2 years ago #

    I must say, I don't like that change, I administrate a lot of blogs, where the wordpress admin isn't the person who updates the software, but we need that worpdress email admin set to an "official email address", so I don't get the mails anymore, instead a lot of other persons are spamed with it.

    I would like to see the option to enter an alternative address to come back, because it is and was a very helpful plugin, but it's now missing pretty much all the functionality I used it for.

  11. kubi23
    Plugin Author

    Posted 2 years ago #

    The problem is that specifying an external email address is the hole bug in the first place. See http://www.openwall.com/lists/oss-security/2013/05/16/8

  12. geeks2rent
    Posted 2 years ago #

    Hello Pulk99 and all the others

    I share the very same problem.
    Clients are the WP-admin but I am the geek2rent to look after things.
    like an digital housekeeper.

    So I need to receive the emails on a different emailaddress

    I did read the link provided by kubi23 concerning the security issue.
    As I do not share the view that this is a real risk I took the liberty to put the very much desired code back into kubi23 plugin.

    It Works for me! just replace the content of mail-on-update.php
    with the code below.


    [ 429 lines of code moderated. Please use pastebin.com instead. ]

  13. geeks2rent
    Posted 2 years ago #

    Hello All,

    As I can't post the FIX for the desired function here. I made it available via our server.

  14. kubi23
    Plugin Author

    Posted 2 years ago #

    No need for a Fix ;-) As I sad 4 month ago:

    "You can of course downgrade to 5.1.0 - check the CVE (http://www.openwall.com/lists/oss-security/2013/05/16/8) if you can live with that."

  15. geeks2rent
    Posted 2 years ago #

    Hello Kubi23,

    Why downgrade? When I can use it inside the current version.
    Works neat! As to the concernes of security.
    The form can not be accessed in that way on my installations.

    The funktion to change or at least add an different email recipient is IMHO important - extremly usefull.

    I merely intended to help as I can understand the needs of those other supporters in their daily struggle in maintenance work.
    Also the Client side ( the actual admin ) gets bombarded with infos but fails to forward them.

    Till now I had manually hack in a different mail recipient - which gets overruled by every new release.
    e.g. (I went for the lasy tweak in the past.)
    //notifier list
    function mailonupdate_
    listOfCommaSeparatedRecipients() {
    // return get_option("admin_email");
    return (string) "WP-support@geeks2rent.co.uk";

    just to explain my intentions

    Greetings from

  16. pulk99
    Posted 2 years ago #

    ok, what about specifying a wordpress user who can recieve the update mails, so only already registered users (with admin rights) can be selected.

  17. kubi23
    Plugin Author

    Posted 2 years ago #

    That idea sound good to me.

    However, I cant promise you anything, but there might be a solution coming up in the next days.

    On a side note, as WP 3.7.1 ships with automatic core updates, I think there will be automatic plugin updates soon.

  18. geeks2rent
    Posted 2 years ago #

    Hello All,

    Here now the mended version (extended of the much desired function).

    be aware:
    A CSRF vulnerability is not a big deal if one knows how to protect the files beyond the publicly facing website. If not protected it indeed poses a threat and may reveals as much as the program WP-Scan does.

    I left in the comments in the source code as this enhances the readability of the code.

    I don't look forward to an automated plug-in update function, as kubi23 mentioned. Unfortunately a lot of programmers are working in the plugin-code directly.
    All that would get lost in an indiscriminate upgrade.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Mail On Update
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.