Paul Ryan

Aloha, we have released version 3.8.1 with a fix for WPML, please let us know if this solves your problem!

https://github.com/uhm-coe/insert-pages/commit/4e024177420db98cbdca90362f0afa0b545c7fae

Can you check Admin Dashboard > Settings > Insert Pages and see what “Insert method” is set to? This functionality should work if set to “normal” method. “Legacy” method has issues.

I would just hook into insert_pages_wrap_content and output your custom excerpt if it exists. To do this without adding another shortcode attribute, you can re-use the existing querystring attribute and add your custom_excerpt=Your excerpt text content in there; it will populate the $_REQUEST['custom_excerpt'] PHP global with your content that you can then use.

For example for this shortcode:

[insert page='123' display='custom.php' querystring='custom_excerpt=Your excerpt text']

You can use this hook to do the same thing:

add_filter( 'insert_pages_wrap_content', function ( $content, $inserted_page, $attributes ) {
	if ( ! empty( $_REQUEST['custom_excerpt'] ) ) {
		$content = sprintf(
			'<%1$s data-post-id="%2$s" class="insert-page insert-page-%2$s %3$s"%4$s><div class="customexcerpt">%5$s</div>%6$s</%1$s>',
			esc_attr( $attributes['wrapper_tag'] ),
			esc_attr( $attributes['page'] ),
			esc_attr( $attributes['class'] ),
			empty( $attributes['id'] ) ? '' : ' id="' . esc_attr( $attributes['id'] ) . '"',
			wp_kses_post( $_REQUEST['custom_excerpt'] ),
			$content
		);
	}

	return $content;
}, PHP_INT_MAX, 3 );

Definitely! We try to update all composer dependencies with each release, so guzzle must be getting pinned to the previous major version and we didn’t notice.

Offhand, do you know which guzzle version is being used in your other libraries? We can target upgrading to that one.

I hear ya with the chainsaws 😆

Ok so we should definitely investigate why the database has the user role at subscriber but the UI shows editor. Two things I can think of at the moment:

1. The user has a “multisite approved user” entry (from Network Settings) and an approved user entry on the specific subsite, and they disagree (although Authorizer is supposed to detect duplicates here)
2. The user has two separate accounts, perhaps one linked by username and another linked by email

Can you look in the database again and see if you can find any entry for this user with editor role? Besides the auth_settings_access_users_approved in the options table you’ve already inspected, the multisite approved users are stored in wp_options with name auth_multisite_settings_access_users_approved.

external=wordpress should only be available if “Hide WordPress logins” is enabled; “Disable WordPress logins” should prevent that login method from working. So at least the attackers shouldn’t be able to log into an account if they manage to intercept the “reset password” email.

But it does make sense to disable the forgot password endpoint if WordPress logins are disabled. We’ll look at the wp-login.php source and see if there’s a good way to do that!

Thanks! We’ve had one similar report from our institution but we were never able to get a concrete answer. We ultimately blamed it on a very large multisite with a low mysql max_allowed_packet corrupting the list of approved Authorizer users and their roles when it was updated. So that’s one thing to check.

The extra details about the failed logins give us another data point to look into. I’ll let you know if we have any follow up questions, thanks again for offering to help debug.

One other side comment with regards to the Members plugin: the role setting functionality in Authorizer expects a single role to be assigned, so it may occasionally conflict with multiple assigned roles assigned from another plugin. We’re still waiting for the core WordPress set_role() function to support multiple roles to get around this. https://developer.wordpress.org/reference/classes/wp_user/set_role/