Jetpack has released version 5.6.1 which hardens the Contact Form module by improving permissions checking when updating a form's settings. In addition to security fixes, the character count for when Publicize publishes content to Twitter has been increased to 280.
This release also fixes a bug that disabled the ability to save widgets after removing a Widget Visibility rule. Users are encouraged to update as soon as possible, especially if you make heavy use of the Contact Form module.
Category: Plugins
I’m confused how those changes to the contact form module improve security. It appears to be just adjustments to user permissions, but the contact form data is stored in the form of a shortcode, and the page being edited should control those permissions anyway.
I’d already done a full audit of those code in there for a previous project. I didn’t think there were any problems in that section at the time, and I’m still confused as to how the change is an improvement. It seems to be just doing the same job twice, but perhaps I’m missing something obvious :/