prep 3.5.4 release

10up · Feb 12, 2021 · c80bea9 · c80bea9
1 parent 97d9117
commit c80bea9
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).
 
+## [3.5.4]
+
+This is primarily a security and bug fix release. PLEASE NOTE that versions 3.5.2 and 3.5.3 contain a vulnerability that allows a user to bypass the nonce check associated with re-sending the unaltered default search query to ElasticPress.io that is used for providing Autosuggest queries. If you are running version 3.5.2. or 3.5.3 please upgrade to 3.5.4 immediately.
+
+Security Fix:
+* Fixed a nonce check associated with updating the default Autosuggest search query in ElasticPress.io. Props [@felipeelia](https://github.com/felipeelia)
+
+Bug Fixes:
+* Fix broken click on highlighted element in Autosuggest results. Props [@felipeelia](https://github.com/felipeelia)
+* Properly cast `from` parameter in `$formatted_args` to an integer to prevent errors if empty. Props [@CyberCyclone](https://github.com/CyberCyclone)
+
+Enhancements:
+* Add an `ep_is_facetable` filter to enable custom control over where to show or hide Facets. Props [@moraleida]
+* Improvements to contributing documentation and tests. Props [@jeffpaul](https://github.com/jeffpaul) and [@felipeelia](https://github.com/felipeelia)
+
 ## [3.5.3]
 
 This is a bug fix release.

diff --git a/CREDITS.md b/CREDITS.md
@@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Aaron Holbrook (@AaronHolbrook)](https://github.com/AaronHolbrook), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Matt Gross (@mattonomics)](https://github.com/mattonomics), [Chris Marslender (@cmmarslender)](https://github.com/cmmarslender), [Gustave F. Gerhardt (@GhostToast)](https://github.com/GhostToast), [Scott Kingsley Clark (@sc0ttkclark)](https://github.com/sc0ttkclark), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks). [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Jonathan Bardo (@jonathanbardo)](https://github.com/jonathanbardo), [Ryan Boswell (@ryanboswell)](https://github.com/ryanboswell), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Jason Boyle (@Jaace)](https://github.com/Jaace), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Mikael Mattsson (@mikaelmattsson)](https://github.com/mikaelmattsson), [Eduard Maghakyan (@EduardMaghakyan)](https://github.com/EduardMaghakyan), [Allan Collins (@allan23)](https://github.com/allan23), [Doug Stewart (@zamoose)](https://github.com/zamoose), [Hannes Kandulla (@HKandulla)](https://github.com/HKandulla), [Michael Phillips (@mphillips)](https://github.com/mphillips), [Tuan Minh Huynh (@tuanmh)](https://github.com/tuanmh), [Alex Bouma (@stayallive)](https://github.com/stayallive), [James Mehorter (@jamesmehorter)](https://github.com/jamesmehorter), [Chris Wiegman (@ChrisWiegman)](https://github.com/ChrisWiegman), [Gustavo Bordoni (@bordoni)](https://github.com/bordoni), [Joel Garcia Jr (@joelgarciajr84)](https://github.com/joelgarciajr84), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Russell Heimlich (@kingkool68)](https://github.com/kingkool68), [Matthew Spencer (@matthewspencer)](https://github.com/matthewspencer), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [John P. Bloch (@johnpbloch)](https://github.com/johnpbloch), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Brian Watson (@bswatson)](https://github.com/bswatson), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Dana Ross (@dana-ross)](https://github.com/dana-ross), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Ross Luebe (@rossluebe)](https://github.com/rossluebe), [Matt Gibbs (@mgibbs189)](https://github.com/mgibbs189), [Mustafa Uysal (@mustafauysal)](https://github.com/mustafauysal), [Craig Miller (@craigmillerdev)](https://github.com/craigmillerdev), [Ryan Veitch (@rveitch)](https://github.com/rveitch), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Kristoffer Svanmark (@Svanmark)](https://github.com/Svanmark), [Jerry Volfson (@jvolfson)](https://github.com/jvolfson), [David Naber (@dnaber-de)](https://github.com/dnaber-de), [David Arceneaux (@DArcMattr)](https://github.com/DArcMattr), [Ben Cumber (@bcumber)](https://github.com/bcumber), [Nícholas André (@nicholasio)](https://github.com/nicholasio), [Jeremy Madison (@jdmadison)](https://github.com/jdmadison), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Dreb Bits (@drebbits)](https://github.com/drebbits), [Shakeel Sorathia (@ssorathia)](https://github.com/ssorathia), [André Philip Kallehauge (@kallehauge)](https://github.com/kallehauge), [Fabian Marz (@fabianmarz)](https://github.com/fabianmarz), [IWriteThings (@IWriteThings)](https://github.com/IWriteThings), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Jason Bahl (@jasonbahl)](https://github.com/jasonbahl), [Dustin Rue (@dustinrue)](https://github.com/dustinrue), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Mallory Adams (@mallorydxw)](https://github.com/mallorydxw), [John Eismeier (@jeis2497052)](https://github.com/jeis2497052), [Dotan Cohen (@dotancohen)](https://github.com/dotancohen), [Yaron Uliel (@yaronuliel)](https://github.com/yaronuliel), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Vasken Hauri (@brandwaffle)](https://github.com/brandwaffle), [Derrick Koo (@dkoo)](https://github.com/dkoo), [Aaron Brazell (@technosailor)](https://github.com/technosailor), [Johannes Kinast (@goaround)](https://github.com/goaround), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Gassan Gousseinov (@gassan)](https://github.com/gassan), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [Helen Hou-Sandi (@helen)](https://github.com/helen), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [columbian-chris (@columbian-chris)](https://github.com/columbian-chris), [John Spellman (@jspellman814)](https://github.com/jspellman814), [Mindaugas Budreika (@mch0lic)](https://github.com/mch0lic), [Thorsten Ott (@tott)](https://github.com/tott), [William Gladstone (@willgladstone)](https://github.com/willgladstone), [Michael LaRoy (@mlaroy)](https://github.com/mlaroy), [Shady Sharaf (@shadyvb)](https://github.com/shadyvb), [Liam Gladdy (@lgladdy)](https://github.com/lgladdy), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Retro64XYZ (@Retro64XYZ)](https://github.com/Retro64XYZ), [Alex Wybraniec (@alexwybraniec)](https://github.com/alexwybraniec), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Felipe Elia (@felipeelia)](https://github.com/felipeelia), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Christian Chung (@christianc1)](https://github.com/christianc1), [Paul de Wouters  (@pdewouters)](https://github.com/pdewouters), [Edwin Siebel (@edwinsiebel)](https://github.com/edwinsiebel), [Guillaume Kanoufi (@g-kanoufi)](https://github.com/g-kanoufi), [Ames Plant (@amesplant)](https://github.com/amesplant), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [Brandon Skinner (@brandon-m-skinner)](https://github.com/brandon-m-skinner), [johanneson (@johanneson)](https://github.com/johanneson), [Alex Woollam (@alexwoollam)](https://github.com/alexwoollam), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Ramon Ahnert (@Rahmon)](https://github.com/Rahmon).
+[Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Aaron Holbrook (@AaronHolbrook)](https://github.com/AaronHolbrook), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Matt Gross (@mattonomics)](https://github.com/mattonomics), [Chris Marslender (@cmmarslender)](https://github.com/cmmarslender), [Gustave F. Gerhardt (@GhostToast)](https://github.com/GhostToast), [Scott Kingsley Clark (@sc0ttkclark)](https://github.com/sc0ttkclark), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks). [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Jonathan Bardo (@jonathanbardo)](https://github.com/jonathanbardo), [Ryan Boswell (@ryanboswell)](https://github.com/ryanboswell), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Jason Boyle (@Jaace)](https://github.com/Jaace), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Mikael Mattsson (@mikaelmattsson)](https://github.com/mikaelmattsson), [Eduard Maghakyan (@EduardMaghakyan)](https://github.com/EduardMaghakyan), [Allan Collins (@allan23)](https://github.com/allan23), [Doug Stewart (@zamoose)](https://github.com/zamoose), [Hannes Kandulla (@HKandulla)](https://github.com/HKandulla), [Michael Phillips (@mphillips)](https://github.com/mphillips), [Tuan Minh Huynh (@tuanmh)](https://github.com/tuanmh), [Alex Bouma (@stayallive)](https://github.com/stayallive), [James Mehorter (@jamesmehorter)](https://github.com/jamesmehorter), [Chris Wiegman (@ChrisWiegman)](https://github.com/ChrisWiegman), [Gustavo Bordoni (@bordoni)](https://github.com/bordoni), [Joel Garcia Jr (@joelgarciajr84)](https://github.com/joelgarciajr84), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Russell Heimlich (@kingkool68)](https://github.com/kingkool68), [Matthew Spencer (@matthewspencer)](https://github.com/matthewspencer), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [John P. Bloch (@johnpbloch)](https://github.com/johnpbloch), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Brian Watson (@bswatson)](https://github.com/bswatson), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Dana Ross (@dana-ross)](https://github.com/dana-ross), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Ross Luebe (@rossluebe)](https://github.com/rossluebe), [Matt Gibbs (@mgibbs189)](https://github.com/mgibbs189), [Mustafa Uysal (@mustafauysal)](https://github.com/mustafauysal), [Craig Miller (@craigmillerdev)](https://github.com/craigmillerdev), [Ryan Veitch (@rveitch)](https://github.com/rveitch), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Kristoffer Svanmark (@Svanmark)](https://github.com/Svanmark), [Jerry Volfson (@jvolfson)](https://github.com/jvolfson), [David Naber (@dnaber-de)](https://github.com/dnaber-de), [David Arceneaux (@DArcMattr)](https://github.com/DArcMattr), [Ben Cumber (@bcumber)](https://github.com/bcumber), [Nícholas André (@nicholasio)](https://github.com/nicholasio), [Jeremy Madison (@jdmadison)](https://github.com/jdmadison), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Dreb Bits (@drebbits)](https://github.com/drebbits), [Shakeel Sorathia (@ssorathia)](https://github.com/ssorathia), [André Philip Kallehauge (@kallehauge)](https://github.com/kallehauge), [Fabian Marz (@fabianmarz)](https://github.com/fabianmarz), [IWriteThings (@IWriteThings)](https://github.com/IWriteThings), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Jason Bahl (@jasonbahl)](https://github.com/jasonbahl), [Dustin Rue (@dustinrue)](https://github.com/dustinrue), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Mallory Adams (@mallorydxw)](https://github.com/mallorydxw), [John Eismeier (@jeis2497052)](https://github.com/jeis2497052), [Dotan Cohen (@dotancohen)](https://github.com/dotancohen), [Yaron Uliel (@yaronuliel)](https://github.com/yaronuliel), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Vasken Hauri (@brandwaffle)](https://github.com/brandwaffle), [Derrick Koo (@dkoo)](https://github.com/dkoo), [Aaron Brazell (@technosailor)](https://github.com/technosailor), [Johannes Kinast (@goaround)](https://github.com/goaround), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Gassan Gousseinov (@gassan)](https://github.com/gassan), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [Helen Hou-Sandi (@helen)](https://github.com/helen), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [columbian-chris (@columbian-chris)](https://github.com/columbian-chris), [John Spellman (@jspellman814)](https://github.com/jspellman814), [Mindaugas Budreika (@mch0lic)](https://github.com/mch0lic), [Thorsten Ott (@tott)](https://github.com/tott), [William Gladstone (@willgladstone)](https://github.com/willgladstone), [Michael LaRoy (@mlaroy)](https://github.com/mlaroy), [Shady Sharaf (@shadyvb)](https://github.com/shadyvb), [Liam Gladdy (@lgladdy)](https://github.com/lgladdy), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Retro64XYZ (@Retro64XYZ)](https://github.com/Retro64XYZ), [Alex Wybraniec (@alexwybraniec)](https://github.com/alexwybraniec), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Felipe Elia (@felipeelia)](https://github.com/felipeelia), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Christian Chung (@christianc1)](https://github.com/christianc1), [Paul de Wouters  (@pdewouters)](https://github.com/pdewouters), [Edwin Siebel (@edwinsiebel)](https://github.com/edwinsiebel), [Guillaume Kanoufi (@g-kanoufi)](https://github.com/g-kanoufi), [Ames Plant (@amesplant)](https://github.com/amesplant), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [Brandon Skinner (@brandon-m-skinner)](https://github.com/brandon-m-skinner), [johanneson (@johanneson)](https://github.com/johanneson), [Alex Woollam (@alexwoollam)](https://github.com/alexwoollam), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Ramon Ahnert (@Rahmon)](https://github.com/Rahmon). [Casey Gibson (@CyberCyclone)](https://github.com/CyberCyclone),
 
 ## Libraries
 

diff --git a/elasticpress.php b/elasticpress.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: ElasticPress
  * Description: A fast and flexible search and query engine for WordPress.
- * Version:     3.5.3
+ * Version:     3.5.4
  * Author:      10up
  * Author URI:  http://10up.com
  * License:     GPLv2 or later
@@ -28,7 +28,7 @@
 define( 'EP_URL', plugin_dir_url( __FILE__ ) );
 define( 'EP_PATH', plugin_dir_path( __FILE__ ) );
 define( 'EP_FILE', plugin_basename( __FILE__ ) );
-define( 'EP_VERSION', '3.5.3' );
+define( 'EP_VERSION', '3.5.4' );
 
 /**
  * PSR-4-ish autoloading

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "elasticpress",
-  "version": "3.5.3",
+  "version": "3.5.4",
   "license": "GPL-2.0-or-later",
   "description": "A fast and flexible search and query engine for WordPress.",
   "devDependencies": {

diff --git a/readme.txt b/readme.txt
@@ -43,6 +43,21 @@ Please refer to [Github](https://github.com/10up/ElasticPress) for detailed usag
 
 == Changelog ==
 
+= 3.5.4 =
+
+This is primarily a security and bug fix release. PLEASE NOTE that versions 3.5.2 and 3.5.3 contain a vulnerability that allows a userto bypass the nonce check associated with re-sending the unaltered default search query to ElasticPress.io that is used for providing Autosuggest queries. If you are running version 3.5.2. or 3.5.3 please upgrade to 3.5.4 immediately.
+
+Security Fix:
+* Fixed a nonce check associated with updating the default Autosuggest search query in ElasticPress.io. Props [@felipeelia](https://github.com/felipeelia)
+
+Bug Fixes:
+* Fix broken click on highlighted element in Autosuggest results. Props [@felipeelia](https://github.com/felipeelia)
+* Properly cast `from` parameter in `$formatted_args` to an integer to prevent errors if empty. Props [@CyberCyclone](https://github.com/CyberCyclone)
+
+Enhancements:
+* Add an `ep_is_facetable` filter to enable custom control over where to show or hide Facets. Props [@moraleida]
+* Improvements to contributing documentation and tests. Props [@jeffpaul](https://github.com/jeffpaul) and [@felipeelia](https://github.com/felipeelia)
+
 = 3.5.3 =
 
 This is a bug fix release.