I applied the fix that you sent in the zip file - but it did not make a different - the forms still sent a notification even just by opening the saving the post with no changes.
I'm going to try the activity logging plugin that you have recommended and let you know what I find out.
So this is really strange. I installed the Activity Log onto my writingmusicaltheatre.com site - because it has far fewer plugins, and only one main form that triggers notifications.
I just downloaded the activity log - and it show literally hundreds of log-ins with "wrong password" - but they are all attributed to IP address 142.4.19.211 - which is my own server. (and they certainly weren't me).
However - I don't see any actions taken by any of them.
I just went in and did something that I knew would trigger a notification - and then checked the log again - and it quite clearly showed that IP address 142.4.19.211 logged in an updated a post. (and the notification did send).
However - about an hour ago, I received a notification that shouldn't have gone out - that I didn't send - and there is no record of that post update in the activity log.
I'm not sure how to interpret all of that.
What does it mean that there is so much activity - even if it is the wrong password - directly from my IP address? Does that mean someone is getting into my control panel, or my database - but they don't know the password to my admin account?
But even then -how was that email notification sent out earlier today, if nobody logged in and updated a post at that time!
I just looked at the Activity Log again - I think the IP address column is always going to be my own server address - that's just the way it works, I guess - so never mind that.
All of those were for user "unknown" - and they all said wrong password ... so unless someone breaks the password and gets in, how can they be updating a post and triggering a notification?
(by the way - there were about 1500 attempts in the last two days since I installed the program!)
I am noting that the fix is not working for you. But this brings the possibility that something else is triggering these emails.
When analyzing the copy of your website locally, we are not able to reproduce the same issue(trigger email by a simple open/save). The fix is also working on our copy.
Unfortunately, if we can't reproduce the issue, we won't be of much help.
At this point, what I can suggest is:
- Asking help from the hosting provider to understand the origin of these failed logins.
- Asking for a security check from a WordPress security agency, this will, probably, be a paid service.
Our 2nd Tier explains that this fix should be applied after the last update of Toolset Forms, we released last week. The update does not include the patch yet, so you will have to update Toolset Forms, then apply the patch.
As I explained before, the issue was not reproduced on my local copy(triggering email with a simple open/save of a donation post), probably because of a difference in the server setup), I am catching emails with a plugin, instead of a complete email solution. So, I can't confirm from my end. Our 2nd Tier has tested the fix again in a copy of your websites and it works for him.
