14 DAY TRIAL // Vanilla 2.18.4 was released to address a security hole that exposed forums to cross-site scripting (XSS) attacks, along with other minor bugs.
A Vanilla community member informs that the update also fixes an unauthorized database manipulation issue.
“When posting a form, client can tamper with the form values in any way, adding new parameters or changing the values of those that were not supposed to be changed by client,” sunsetbc, the user who reported the flaw, wrote on GitHub.
“On the server side only expected parameters that were in the original form are validated, and the rest are saved to the database with simple check for data type match.”
Vanilla users are advised to update their forums to protect them against XSS attacks.
Vanilla 2.18.4 is available for download here
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.