Login

Tag Archives: Advanced Contact form 7 DB

Plugin Security Scorecard Grade for Advanced Contact form 7 DB

Checked on September 5, 2024
D

See issues causing the plugin to get less than A+ grade

5 Sep 2024

WordPress Plugins With at Least 150,000+ Installs Using Versions of Third-Party Library With Recently Disclosed Security Vulnerabilities

As we work to expand the capabilities of our new Plugin Security Scorecard, one of our focuses is providing better security information on libraries included in plugins. That is already helping to identity WordPress plugins that are using libraries with known vulnerabilities. Earlier this week, we noted that a plugin with 600,000+ installs was still using a vulnerable version of library 17 months after an update was released. In that situation, we found that the developer had not released a security advisory through GitHub project for the vulnerability. With another library, the developer recently released a couple of advisories and we found that several fairly popular plugins are using an affected version of the library.

The library is PhpSpreadsheet, and the advisories were released on August 28. The plugins are all using version 1.x of the library and update for that was released on September 2. [Read more]

19 Oct 2022

iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins

A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of that. Take this recent forum topic for the plugin Advanced Contact Form 7 DB (Advanced CF7 DB) , which included a message coming from the paid iThemes Security Pro service claiming that there was a “known” vulnerability in the latest version of the plugin, version 1.9.1. Here is the message:

SEPT 30: Known issues in Advanced Contact form 7 DB v1.9.1 [Read more]

19 Oct 2022

Persistent Cross-Site Scripting (XSS) Vulnerability in Advanced Contact Form 7 DB (Advanced CF7 DB)

In a separate post we discuss in more detail at vague claims made that there has been a persistent cross-site scripting (XSS) vulnerability in the plugin Advanced Contact Form 7 DB (Advanced CF7 DB). Patchstack claimed that a vulnerability of that type was fixed in version 1.8.8, but the details provided only state:

[Read more]

24 Nov 2021

Closed WordPress Plugin With 90,000+ Installs Contains Authenticated Arbitrary File Deletion Vulnerability

Today, the WordPress plugin Advanced Contact form 7 DB (Advanced CF7 DB) was closed on WordPress Plugin Directory. Because that being one of the 1,000 most popular plugins in that directory (it has 90,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a vulnerability that allows anyone logged in to WordPress can delete arbitrary files from the website.

We tested and confirmed that our new firewall plugin for WordPress protected against the proof of concept below, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. [Read more]

19 Jul 2019

Closures of Very Popular WordPress Plugins, Week of July 19

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and one of those has not been reopened. [Read more]

17 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in Advanced CF7 DB (Advanced Contact form 7 DB)

Yesterday we noted the recently closed plugin Advanced CF7 DB (Advanced Contact form 7 DB) had numerous security issues. It looks like one of those may have led to it being closed, as subsequent to the closure a new version with the changelog “We have fixed SQL injection related bugs at the back office query.” was submitted. It is interesting that this seems to be rather minor in comparison with some of the other issues, as it looks like by default it is only directly accessible by Administrators.

[Read more]

14 Sep 2018

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Advanced Contact form 7 DB

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found was introduced in the most recent version of the plugin Advanced Contact form 7 DB.

The vulnerability could allow an attacker that had access to a WordPress account to upload arbitrary files to the website and by uploading a malicious PHP file they can take just about any action on the website. It also could allow an attacker that could get a user logged in to visit a URL the attacker controls, to exploit the vulnerability as well. [Read more]

1 Sep 2017

What Happened With WordPress Plugin Vulnerabilities in August 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during August (and what you have been missing out on if you haven’t signed up yet): [Read more]

24 Aug 2017

Authenticated Information Disclosure Vulnerability in Advanced Contact form 7 DB

One of the strengths of WordPress is the multitude of plugins available, if you need some functionality you are likely to find a plugin that provides it. There are downsides as well. With over 51,000 plugins in the Plugin Directory it isn’t surprising to find new plugins that duplicate functionality already provided by another plugin. One of the downsides of that is that we have seen a fair amount of situations where a vulnerability has been fixed in a plugin and then another similar plugin comes along that has that same vulnerability. In the case of a vulnerability we found in the plugin Advanced Contact form 7 DB, we found the same vulnerability we had found in a couple of other similar plugins. The vulnerabilities in the other plugin still haven’t been fixed, while this one has now been fixed, though you wouldn’t know that there was a security fix in the version that fixed it if you relied on the plugin’s changelog.

The plugin entered our radar when a piece of its code showed got flagged as part of our proactive monitoring for serious vulnerabilities in WordPress plugins. The code in question turned out to not be vulnerable, but based on the vulnerabilities we had found in similar plugins, which allowed people that shouldn’t be able to view the contents of contact form submissions, we checked to see if it was also an issue with this plugin and it turned out to be the case. [Read more]