Two days back, the plugins team at WordPress.org informed me of a potential CSRF vulnerability in one of the files in the admin area. As a result this plugin was taken offline while I fixed this release.
As part of this review, they highlighted a further incompatibility in the plugin, particularly in the external PHP/JS tracker that seeks wp-load.php. For long term users of this method (including me) this was a great way to load as minimal a WordPress environment using SHORTINIT which definitely had a massive performance boost particularly for the tracking. Although nothing wrong in terms of security, this method isn’t good when your plugin is used on over 30,000 sites globally with different platforms, versions of WordPress, different plugins and even different directory structures. While some users have reported issues with this, I’ve always provided an alternate option that is fully compatible. Unfortunately, as part of the requirements for keeping Top 10 listed in the WordPress.org plugin repository, this piece of code had to go from the plugin.
I have now uploaded v2.3.2 and every user should update to this version asap. If you’re an existing user, just visit your Updates page in the WordPress Admin and update to this version.
In the mean time, I am also working on a new version of Top 10 that also includes a cacheable JS based tracker. I will also create a self-hosted add-on that will bring back the external tracker. This will be available from WebberZone.com only and you can download this if the performance of the other trackers do not meet your expectations.
Changes in Top 10 v2.3.2
- Bug fixes:
- Santized several unsanitized post and get requests
- External PHP file tracking option introduced in v2.3.0 in line with wordpress.org plugin repository listing requirements.
Changes in Top 10 v2.3.1
- Bug fixes:
- Potential CSRF issue fixed in admin area