The plugin cforms2 was closed on the WordPress Plugin Directory on July 19.  Since then a new version of the plugin has been submitted with one of the changelog entries being “bugfix: validate {IP} being an IP address, preventing CSRF or other similar attacks”. It isn’t clear how cross-site request forgery (CSRF) could be related to that validation. Looking at the changes made we found the validation did occur and also that the other changelog entry, “other:    remove {Referer} substitution variable” was related as both changes involve user input that might not have been seen that way. What we found was that previously without the IP address validation you could cause HTML code to be included in emails normally sent out to the admin of the website. That was suggested to be something that could be abused by hackers with another similar vulnerability recently.

…

[Read more]