Finally some good news, but 1* and 2* reason should not be optional.
I also totally agree! Some users give a one star rating to our plugins just because they cannot properly install / setup them (even with included well-detailed documentation) or they have a lot of outdated themes / plugins that can cause a lot of issues, etc.
I think that these are not correct reasons!
OK so we’re also confused:
We – as an author – CANNOT give permission to our customers about including our products in their themes (if they purchased an extended license of course)?
We are the authors of this plugin.
Yes, this was a security issue, but we already fixed it quickly with version 3.6 as soon as we discovered this problem. We are sorry about this and of course it was our responsibility, but there are several reasons why we didn’t mention this issue. As you may know, most of our customers are out of reach since Envato doesn’t offer any way to alert all of our customers. So the most important reason why we didn’t want to make this issue public, because some of our customers are still using v3.5 and we actually could make it worst by letting “hackers” to get know about this issue. This is the case with this forum thread. You may alter a few LayerSlider WP users, but you also make this issue public and now some bad people can use it to mess with our customers.
We did everything we can to tell our customers how important is updating the plugin. We did write a comment in the comments section of the item, although we didn’t mentioned this issue because of the reasons above. We did make contact with popular theme authors like the Avada guys and they are now ship their themes with LayerSlider WP version 3.6.
We truly believe that this issue is a minor security case. It is only affects the plugin, there is no door for your WP installation. The intruder cannot actually delete your sliders, it is only flagged as removed, but that slider is still in your database unmodified and you can recover it at any time.
Also, it worth to mention that this issue is more like a WordPress issue rather than a plugin issue. We did assume that WP won’t let request through by visitors without permission to open the plugin page. If WP would check the permissions properly, it could never happen. And you have to understand that there is a lot of automatic subroutines in a framework which aren’t documented, so we never get a chance to know about this can cause problems.
Now the problem is that everyone who wants to make bad jokes and reads this topic will start digging about this issue and they can mess with people who aren’t updated the plugin. You should know that we can’t do anything to tell everyone about how important is updating the plugin. Really few of them will read this thread and we truly thinks this wasn’t a smart step because you basically told every “hacker” how they can use a security hole which won’t end well.
Again, this issue is already fixed and we didn’t mentioned not to cover our mistake, but the safety of our customers. We truly sorry for any inconveniences.