@mikeshand do you have a link to the reported issue. I’m up for helping fix it since I need the plugin currently on a large base of sites. I just can’t find the reported issue.
It does look like there is a fix waiting for review on the plugin that adds a bunch of escaping and is tagged as 2.2.4. There may be a decent wait though as I know plugin review is far behind.
https://plugins.trac.wordpress.org/changeset/2956441/simple-staff-list
@mikeshand @curtismchale the tie has already been resubmitted to the plugin review team and I’m waiting to hear back from them.
I’m withholding the fix from Github until the fix is made available here out of an abundance of caution. The reported issue would require that a user already have admin access with at least an Editor role. Given that, it seems unlikely that this particular vulnerability would be targeted.
@brettshumaker thanks. I grabbed the copy from SVN and am rolling it out to my sites/customers now as it’s deploy day. I can move back to the official version in a few days once it’s back live for everyone.
