@j.hoffmann instead of guessing you can see the difference in the code to see if it is “security” related, or just a “bug” as they call it (or I say it is done purposely for marketing reasons, already mentioned why)
And that way I just discovered that this plugin we are under now (MonsterInsights – Google Analytics Dashboard for WordPress):
A) https://wordpress.org/support/plugin/google-analytics-for-wordpress/
is the same as (ExactMetrics – Google Analytics Dashboard for WordPress):
https://wordpress.org/plugins/google-analytics-dashboard-for-wp/
which I frankly didn’t know until now. Having in mind 1-star reviews, I’m sure a lot of people migrate from B to A hoping they get something different, but surprisingly these days they’ve got the same *** as the code is exactly the same thus the “bug” as well 😉
@chriscct7 as now it is clear you control both plugins listed below, could you please explain how this “bug” works. Note that all sort of older versions were autoupdated to the x.10 of both plugins; if there was a bug in let say 8.2.0, that would mean that it would autoupdate to the next version long time ago which is not the case – it updated to 8.10.0 and not to any of the previous.
Here are some examples that we have:
Google Analytics for WordPress by MonsterInsights
8.2.0 to 8.10.0
8.3.0 to 8.10.0
8.9.1 to 8.10.0
Google Analytics Dashboard for WP (GADWP)
7.5.0 to 7.10.0
7.8.2 to 7.10.0
7.9.1 to 7.10.0
It is not possible to affect installed version by a future bug in x.10 version, is it :)) Which only means that you forced somehow million of sites to autoupdate even when the site owners were selected explicitly NOT TO autoupdate.
> Which only means that you forced somehow million of sites to autoupdate even when the site owners were selected explicitly NOT TO autoupdate
We did not, that’s not allowed on .org
> It is not possible to affect installed version by a future bug in x.10 version, is it
It absolutely is.
We have a version check in the autoupdate feature code to be able to do the autoupdate only on minor release on feature, it uses the wrong comparison operator, and this is the first time it’s happened because it’s the first time we’ve ever done a release with a two digit major version number (x.yy as opposed to x.y).
Since we’ve offered this feature since the beginning of our plugin, it doesn’t matter which version is installed, they all have the bug.
ExactMetrics is our sister product which we acquired a while ago. While they share many of the same features, they are worked on by two different teams and have many differences in terms of both features and future roadmap.
@dingdang Just for your information: That is exactly what I have done. I went through the code and found 3 lines which were added and apply the strip_tags() function to an api response. Not knowing the codebase, I just didn’t have the time to explore deeper. But that function is a way to remove injected <script> tags for example. So my “guess” was well educated.
The 8.10.1 update to fix this issue has been released
-Chris
