Contact Form Email

19 Nov 2021

Not Really a WordPress Plugin Vulnerability, Week of November 19

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Stored Cross Site Scripting (XSS) in Contact Form Email

With a claimed stored cross site scripting (XSS) vulnerability in Contact Form Email, the only information provide are these instructions: [Read more]

2 Nov 2018

Full Disclosure of Vulnerability That Exposes Contact Form Submissions in WordPress Plugin with 30,000 Installs

Just yesterday we were discussing the problematic behavior of WordPress Support Forum moderators deleting discussions related to a vulnerabilities in plugins. What is of most concern with that is that they often do that while not making sure anything is done about getting the vulnerability fixed, which leaves websites vulnerable in instances where they shouldn’t be. Another reason that is problematic is that information on vulnerabilities can be helpful in finding other security issues in the same plugin or other plugins.

Along those lines while writing up a post with the details of several vulnerabilities that had been fixed the other day in the plugin Contact Form Email we noticed a fairly serious issue still in the plugin. It turns out that anyone can download all of the contact form submissions made through the plugin. According to wordpress.org this plugin has 30,000+ active installations. [Read more]

2 Nov 2018

Vulnerability Details: Reflected XSS, CSRF/XSS, and Persistent XSS Vulnerabilities in Contact Form Email

_{From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that led to that so that we can provide our customers with more complete information on the security of plugins they use.}

…

[Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Contact Form Email

Not Really a WordPress Plugin Vulnerability, Week of November 19

Stored Cross Site Scripting (XSS) in Contact Form Email

Full Disclosure of Vulnerability That Exposes Contact Form Submissions in WordPress Plugin with 30,000 Installs

Vulnerability Details: Reflected XSS, CSRF/XSS, and Persistent XSS Vulnerabilities in Contact Form Email