Summary
This update includes a security enhancement that prevents a user creating a vulnerability when using the PDF Download Link with the Gravity Forms Page Confirmation.
Does this vulnerability affect you?
To be affected site owners would need to have added a [gravitypdf]
shortcode – which generates a PDF Download Link – on a public WordPress post/page, and have specifically enabled the optional Signed PDF URL feature.
Since August 2022, the Gravity PDF documentation for the Page Confirmation and PDF Download Link configuration has included a prominent alert warning users about the potential for misconfiguration.
To prevent this vulnerability altogether, the 6.9.1 release automatically disables the Signed PDF URL feature whenever the entry ID is supplied by the user (which is the case with the Page Confirmations).
Refer to our documentation to learn more about the security protocols Gravity PDF uses to prevent unauthorised access to your PDFs.
How to Upgrade Gravity PDF?
This update is available via WordPress One-Click Updates, or the plugin can be downloaded from WordPress.org and installed manually via File Upload or FTP.
If you have any questions or need assistance, please reach out to our friendly support team.
Changelog
Security
- Disable the Signed URL feature in the
[gravitypdf]
shortcode when a URL parameter provides the entry ID (e.g. Page Confirmations)
Housekeeping
- Small improvement to performance when reading template and font files from disk
Bugs Fixed
- Gracefully handle invalid conditional logic rules when adding date entry meta support
- Display field for entry metadata PDF conditional rule when there are no form fields compatible with conditional logic
- Ensure the template cache is correctly cleared when PDF Debug Mode is enabled
- Flush the template cache after installing new templates via the PDF Template Manager
- Clear template cache when plugin deactivated