The plugin cforms2 was closed on the WordPress Plugin Directory on July 19.  Since then a new version of the plugin has been submitted with one of the changelog entries being “bugfix: validate {IP} being an IP address, preventing CSRF or other similar attacks”. It isn’t clear how cross-site request forgery (CSRF) could be related to that validation. Looking at the changes made we found the validation did occur and also that the other changelog entry, “other:    remove {Referer} substitution variable” was related as both changes involve user input that might not have been seen that way. What we found was that previously without the IP address validation you could cause HTML code to be included in emails normally sent out to the admin of the website. That was suggested to be something that could be abused by hackers with another similar vulnerability recently.

...

---

This post provides insights on a vulnerability in the WordPress plugin cforms2 not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.

---

Need Continued Support for a Closed Plugin?

Does your website depend on a WordPress plugin that is no longer being supported by the original developer? With our Abandoned WordPress Plugin Maintenance Service, we can maintain the plugin for you, so you can safely use the plugin going forward.