It has always been our priority in ensuring that all our products are safe from any exploits. Today, while the team are in the midst of working on EasyArticles and EasySocial 2.1, a security analyst provided us with some insights on the way EXIF information was being processed in EasySocial which may lead to an unwanted xss attack.
This possible mode of attack could affect sites that are processing EXIF metadata on photos uploaded on the site. If your site doesn't have EXIF installed or if you have already disabled this feature, you will not be affected but you are advised to update to the latest release as this release addresses the way EXIF metadata are being processed and on top of that, we have also included some bug fixes and minor enhancements into this update as well.
If you are using any versions prior to 2.0.19, kindly update to the latest version as soon as you can. Should you need any assistance with updating to the latest version, get in touch with us on our forums and our support guys will be there to assist you with the update. Please also refer to the link below for the changes and fixes applied in this update.
If you have an expired EasySocial license, you could use the coupon code SOCIAL25 to obtain 25% discount for your renewals. Please note that this coupon code valids till June 4th, 2017.
All credits goes to Pedro (@tunelko) for discovering this loophole.
We understand that not every customer is running on EasySocial 2.x or is not ready to upgrade their site yet. Therefore we urge you to download the patch file below for prior releases and patch it to your site. There is only a single file involved, you just need to extract the zip file and upload the photo.php file into the folder /administrator/components/com_easysocial/tables and you are good to go.