With v3.12.2 we added some optimizations and fixed several bugs.
For even more features and optimizations (see the comparision page), please use the integrated pro upgrader to start a free 30-day-trial of Maps Marker Pro.
Maps Marker Pro v4.0 has also been released today and features a complete object-oriented rewrite of the codebase.
An update to the latest version is – as always – highly recommended.
Let me know what you think about this new release by submitting a review!
If you want to keep up to date with the latest Maps Marker development, please follow @MapsMarker on twitter (= most current updates), on Facebook, Google+ or subscribe to news via RSS or via RSS/email.
Now let´s get to the changes of free v3.12.1:
Since the start of our security bug bounty program on May 19th we have received several vulnerability reports – due to our attention on secure coding and 3 penetration tests in the last 4 years no severe or critical issues were found though. All but the first issue from the list below could only have been exploited by users with backend access – and in most cases with admin users only.
Some additional thoughts why those vulnerabilities were not detected by us so far, although we are doing regular security checks: the attack vector of an admin who e.g. inject malicious code into Leaflet Maps Marker settings was not completely covered by us so far, as such an attacker would have had direct access to theme or plugin files – making it much easier to e.g. inject malicious code or change database tables directly than to use Leaflet Maps Marker for Cross site scripting.
Nevertheless although the exploitability of the reported vulnerabilities is low, we take those reports seriously and fixed all of them respectively hardened our entire codebase to prevent future similar vulnerabilities.
|compatibility check for “WP Super Cache” debug output which can cause layer maps to break|
|compatibility check for Admin Custom Login which causes the navigation on the settings page to break|
|compatibility check for Fast Velocity Minify plugin|
|option “HTML filter for popuptexts” to prevent injection of malicious code – enabled by default (thx jackl via hackerone)|
|Looking for developers to recommend to our clients for customizations – more details at mapsmarker.com/network|
|Autoptimize plugin compatibility check: also verify if option “Also aggregate inline JS?” is set (which is causing maps to break)|
|use wp_kses() instead of strip_tags() for recent marker widget to support selected HTML elements|
|only dequeue Google Maps API scripts added by other plugins instead of deregistering them if related option is enabled (as this could break dependend scripts & plugins like WP GPX maps)|
|prevent duplicate markers when exporting markers from multi-layer-maps to KML, GeoRSS & Wikitude (thx Eric & Thorsten!)|
|fix PHP APC cache detection for importer|
|XLS export for marker and layer maps was broken if PHP 7.1+ is used|
|markers and layers could not be saved on iOS devices due to a bug in Safari´s datetime-local implementation (thx Natalia!)|
|window width on marker and layer edit pages could not be fully utilized on iOS devices (thx Natalia!)|
|list of markers was not fully responsive if images larger than 440px in popuptexts were used (thx Georges!)|
|Low impact: XSS vulnerabilities on marker & layer edit pages (thx to victemz & 0xnop via hackerone)|
|Low impact: command injection vulnerability in marker & layer export files (thx to kiranreddy via hackerone)|
|Low impact: stored XSS vulnerability for createdby and updatedby fields on backend|
|Low impact: stored XSS vulnerability on tools page only if Webapi is enabled (thx whitesector via hackerone)|
|Low impact: stored XSS vulnerability for custom default marker icon (thx whitesector via hackerone)|
|Low impact: stored XSS vulnerability for QR code image size (only if Google is set as default QR code provider – thx whitesector via hackerone)|
|updated Catalan translation thanks to Efraim Bayarri, Vicent Cubells, http://vcubells.net and Marta Espinalt, http://www.martika.es|
|updated Chinese translation thanks to John Shen, http://www.synyan.net and ck|
|updated German translation|
|updated Indonesian translation thanks to Andy Aditya Sastrawikarta and Emir Hartato, http://whateverisaid.wordpress.com and Phibu Reza, http://www.dedoho.pw/|
|updated Italian translation thanks to Luca Barbetti, http://twitter.com/okibone and Angelo Giammarresi – http://www.wocmultimedia.biz|
|updated Japanese translations thanks to Shu Higash and Taisuke Shimamoto|
|updated Lithuanian translation thanks to Donatas Liaudaitis – http://www.transleta.co.uk and Ovidijus – http://www.manokarkle.lt|
|updated Russian translation thanks to Ekaterina Golubina (supported by Teplitsa of Social Technologies – http://te-st.ru) and Vyacheslav Strenadko, http://slavblog.ru|
|updated Spanish translation thanks to David Ramírez, http://www.hiperterminal.com, Alvaro Lara, http://www.alvarolara.com, Victor Guevara, http://1sistemas.net, Ricardo Viteri, http://www.labviteri.com, Juan Valdes and Marta Espinalt, http://www.martika.es|
|updated Swedish translation thanks to Olof Odier, Tedy Warsitha, Dan Paulsson, Elger Lindgren, http://bilddigital.se, Anton Andreasson, http://andreasson.org/ and Tony Lygnersjö – https://www.dumsnal.se/|
How to download / update
The easiest way to update is to use the WordPress update process: login with an user who has admin privileges, navigate to Dashboard / Updates, select plugins to update and press the button “Update Plugins”. Alternatively you can also download the current version here, unzip the package and overwrite the plugin´s files on your webserver.