12 Jun

Cross-Site Request Forgery (CSRF) Vulnerability in Contact Form 7 – PayPal Add-on

After noticing a number of vulnerabilities in a couple of plugins that work with the plugin Contact Form 7 we started looking over other plugins that work with it. In doing that we found that the plugin Contact Form 7 – PayPal Add-on has a cross-site request forgery (CSRF) vulnerability in its code to save the plugin’s settings, which could be used to change the PayPal account that payments through the plugin are sent.

[Read more]