Update: WoltLab Suite 5.2.5 / 3.1.13 / 3.0.24

  • We have just released new versions of our products:

    • WoltLab Suite 5.2.5
    • WoltLab Suite 3.1.13
    • WoltLab Suite 3.0.24


    Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.

    Users Sending Emails to Users

    The software contains a legacy feature that enables users (and if configured, also guests) to send emails to other users. This feature has little use today, but is more often than not overlooked by administrators, especially those migrating from previous versions. The form uses a dedicated group permissions that was enabled by default in previous versions and was often left unchanged.


    It has come to our attention that attackers take advantage of this feature and actively abused it to send out spam emails to other users. We've taken two steps to mitigate this issue to some extent:

    1. Force revoked the group permissions to use this form. Site owner can grant the permissions again at their own discrection, although we strongly advise against this.
    2. The captcha protection of the mail form was previously enabled for guest access only and is now enforced for users alike. This is the first form to enforce the captcha for logged-in users too.

    This change has previously been applied to the 5.2 series and is now in full effect for the entire WoltLab Suite 3.x series.

    Performing System Updates

    Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out.

    WoltLab Suite Blog

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1

    WoltLab Suite Calendar

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1

    WoltLab Suite Filebase

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1
    • File owners were unable to delete responses to reviews despire having the permissions. 5.2

    WoltLab Suite Gallery

    • The list of deleted images raised an exception when viewed by guests. 3.0 3.1
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1

    WoltLab Suite Forum

    • Attempting to move a thread raised an exception in PHP 7.4. 5.0 5.1
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.1 5.2

    WoltLab Suite Core: Conversations

    • Resolved an issue when replying to conversations when one or more participants were deleted. 3.0 3.1
    • The import from vBulletin could fail due to an incorrect recognition of numeric values. 3.0 3.1 5.2

    WoltLab Suite Core

    • Resolved two compatibility issues with PHP 7.4. 3.0 3.1
    • Reading articles yielded an incorrect location in the users online list. 3.0 3.1 5.2
    • Requests dispatched through HTTPRequest would not apply the timeout value to the stream itself. 3.0 3.1 5.2
    • Improved the behavior of the mobile message UI. 3.1
    • Optimized the processing speed of messages with excessive amounts of HTML nodes. 3.1 5.2
    • An incorrect sort direction caused packages installed via the package server to sometimes favor older versions over newer ones. 3.1 5.2
    • Removed the compatibility check for the API versions. 3.1
    • Overly restrictive permission checks for non owner groups. 5.2

    Alexander Ebert
    Senior Developer WoltLab® GmbH

  • We have just released an update for the package "WoltLab Suite Core: Conversations" that addresses one major and one minor issue.

    Abuse of Conversations for the Purpose of Sending Spam

    We have become aware of a sophisticated bot that specifically targets the conversation system of our software in an attempt to mass send messages to registered users. The attack pattern consists of two phases, in the first phase the members list is scraped to collect the list of usernames. The second phase involves the start of a new conversation with each user previously found in the first phase, with the advertisement placed in the start message. The bot has also been programmed to immediately leave the conversations in an effort to circumvent the limit of the number of active conversations per user.


    Following these events, we have implemented a new restriction in order to mitigate this kind of attack and to prevent further abuses in that direction. WoltLab Suite 3.0, 3.1 and 5.2 just received an update to the conversation system that limits the number of started conversations within a rolling 24 hour period. The default value enforces a limit of 10 for regular users, administrators are not restricted by this new permission.


    Site owners can adjust the limits per user group, with the special value -1 used to remove the limit entirely for select user groups. The permission is named Maximum Number of Started Conversations per 24 Hours.

    Minor Issue: Potential Leak of Invisible Participants of Conversations

    This update also resolves an issue that allowed to indirectly probe for hidden participants by abusing the participant filter in the conversation list and comparing the result to the actual participant list. We have resolved this issue and have also identified a potential performance bottleneck that has been fixed too.

    Alexander Ebert
    Senior Developer WoltLab® GmbH