09 Jun

WordPress Plugin Directory’s Security Review Leads to Putting Public At More Risk

Yesterday we announced we have temporarily ended our notifications to the WordPress Plugin Directory when there are plugins with disclosed vulnerabilities in the current version of the plugin that is in the directory, until they put forward concrete plans to resolve two issues. One of those is finally warning people when they are using plugins [Read more]

08 Jun

Authenticated Information Disclosure Vulnerability in Contact Form 7 Database

After noticing that another plugin that saves contact form submissions from the plugin Contact Form 7 made them publicly accessible we took a look other plugins that also save them to see if any of them had a similar issue. In doing that we found that the plugin Contact Form 7 Database made saved contact form submissions [Read more]

03 Apr

Cross-Site Request Forgery (CSRF)/Form Submission Deletion Vulnerability in Contact Form 7 Database

While looking over another vulnerability in the plugin Contact Form 7 Database we also noticed that it lacked protection against cross-site request forgery (CSRF) when deleting the form submissions that it stores. The following code in the file /admin/table.php handles processing requests to delete form submissions: 129 130 131 132 133 134 135 136 137 138 [Read more]

03 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in Contact Form 7 Database

One of the ways we keep track of vulnerabilities in WordPress plugins is by monitoring the wordpress.org Support Forum as that is sometimes where vulnerabilities are disclosed. As far as we can tell we are alone in doing this, so if you are relying on another data source for your plugin vulnerability data you are [Read more]