Support » Plugin: GiveWP - Donation Plugin and Fundraising Platform » Fatal error when editing pages

  • Resolved mhennessie

    (@mhennessie)


    Updated the plugin to version 2.10.0 and get a fatal error when trying to edit a page. I rolled back to 2.9.7 but that exposes a XSS vulnerability that is patched in the 2.10.0 version.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Matt Cromwell

    (@webdevmattcrom)

    Hi there,

    After you update to 2.10, there’s a couple important things you should do as well:

    1. Run the Database update that you’ll see available in “Donations > Updates”
    2. Create the new Donor Dashboard. You’ll see a notice at the top of your Give settings pages about that.

    Once both of those are done correctly you should not have any trouble with creating posts or pages at all.

    Please make a backup of your site before running updates in general, but particularly before doing the database update.

    Thanks!

    Thread Starter mhennessie

    (@mhennessie)

    Now I get this: “There was a problem running the migrations. Please reach out to GiveWP support for assistance”

    Still cannot edit pages.

    Plugin Contributor Ben Meredith

    (@benmeredithgmailcom)

    Hi @mhennessie

    It sounds like you are experiencing the same thing as a different forum poster, which you can read here: https://wordpress.org/support/topic/cant-create-new-pages-3/#post-14235730

    The short version is that your site is likely running an older version of MySQL that prevented it from making an update to the database (we’re looking into the fix for that and will likely ship a backward compatible version next week).

    Combined with that, there’s an issue where our plugin is mistakenly checking the migration logs (which don’t exist on your site) on every attempt to save/update posts and pages. The fix for that will also come out next week, most likely.

    I’d also like to address the XSS security issue patched in 2.10.0 and assure you of three things:

    1. There’s no evidence of the issue being exploited in the wild.
    2. We patched it within hours.
    3. Most importantly, to exploit this vulnerability, you have to already have admin access to the site. To use an analogy, it’s like finding an unlocked cabinet inside of a locked house. In order to get to that cabinet, you have to already have a key to the house. More importantly, the key that you have to the house (administrator) allows you to already do any nefarious thing you want, with or without the cabinet.

    That’s not to say we shouldn’t patch the issue. We definitely have. Just that anyone who can exploit the issue probably wouldn’t take the time, since they already have the master key.

    I’m going to close this issue, since you can follow along on the feedback site with the status of the issues. The immediate workaround for you would most likely be to update the version of MySQL running on your site, or to temporarily roll back to 2.9.7 with the assurance that the site is still secure.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.