WP Cerber 9.8.3 is now available

This is a maintenance and hardening release focused on the parts of a WordPress security plugin that matter most during real administration work: notification emails, scanner messages, Traffic Inspector searches, and Activity and Traffic log exports.

  • Email handling was tightened for 2FA PIN messages and Activity Alert notifications. WordPress profile names are now sanitized before being used in Name <email> recipient strings. Characters that can affect recipient parsing, including commas, quotes, backslashes, angle brackets, and control characters, are stripped to prevent crafted display names from altering the recipient list.

  • Scanner notices now handle external plugin ownership metadata more defensively. Data from WordPress.org is rendered through safer UI components instead of being mixed into admin HTML directly, preventing potential XSS or data injection in the dashboard path.

  • Traffic Inspector search is more accurate. The “Any software error” filter now respects other selected filters instead of letting an internal OR condition override the surrounding search logic. Search terms containing % or _ are also treated as literal characters, not accidental SQL LIKE wildcards.

  • Large Activity and Traffic log exports were rebuilt around database streaming. Rows are exported in a single pass instead of repeated offset-based chunks, which avoids deep-offset scans and keeps PHP memory usage flatter on massive log tables. On Nginx with PHP-FPM, X-Accel-Buffering: no helps send CSV chunks immediately instead of buffering the whole export first.

  • CSV exports now include the oldest and newest timestamps covered by the file. That makes archived exports easier to use during incident review, troubleshooting, and later comparison.

If you rely on Activity Alerts, 2FA PIN emails, Traffic Inspector searches, or large security-log exports, install this release promptly.

1 Like