One of the changelog entries for the latest version of Caldera Forms is “SECURITY: Patch for issue affecting CF Pro API. Does not affect most users, see post for detailssee post for details.” On the linked page it is stated:
…
In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.
Related reports of claimed database disclosure vulnerabilities were released for ARI Adminer, BackWPup, Batch-Move Posts wp plugin, Caldera Forms, Cart66 Lite, Contact Us Page Builder, Events Made Easy, Exports and Reports, L4 Shopping Cart, Orbis, Paid Memberships Pro, Search Engine, Shopp, WP EasyCart, and WP Editor. While the person behind these reports believes that the file they are listing for each of the plugins is a database backup, in reality they are files that came with the plugins. It hard to understand how they didn’t realize that as the contents are exactly the same for the same plugin file on every website they listed, but they apparently didn’t. [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during May (and what you have been missing out on if you haven’t signed up yet): [Read more]
When it comes to getting information on the security issues in WordPress plugins, developers of plugins are not always the best source. That is the case with a persistent cross-site scripting (XSS) vulnerability discovered by Federico Scalco that was in the plugin Caldera Forms. While that was claimed by the discoverer of the vulnerability, the developer of the plugin, and all of the other data sources of vulnerabilities in WordPress plugins we are aware of, to have been fixed in version 1.6.0 of the plugin, it actually wasn’t, as testing out the claimed vulnerability would have show any of them (the ease of testing that would will be something we will go into in another post). If you were using our service you would have been correctly notified that it hadn’t been fixed.
That has now been fixed in version 1.6.1.1. Here what the developer wrote about that: [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during April (and what you have been missing out on if you haven’t signed up yet): [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during October (and what you have been missing out on if you haven’t signed up yet, which you can currently do for half off): [Read more]
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
…
If you have read either of our previous posts about the security company Planet Zuda you won’t be surprised to hear that they are selling a “fixed” version of another WordPress plugin where the vulnerability they claim to have fixed doesn’t exist. This time it is with the plugin Caldera Forms, which has 90,000+ active installs, and for which they want 29.99 for the “fixed” version.
In reading the first part of their post with the claim about this plugin it really seems that people behind this company are not all together with it, which makes deciphering what the vulnerability is supposed to be harder. Here is the main portion of the claim about the vulnerability: [Read more]
Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.
Wordfence describes the vulnerability in Caldera Forms version 1.3.5.2 as “This vulnerability allows an attacker to gain access to potentially sensitive data that has been captured by a Caldera Form.” [Read more]