Login

Tag Archives: Contact Form Submissions

1 Apr 2022

Vulnerability Details: Information Disclosure in Contact Form Submissions

Yesterday, the WordPress plugin Contact Form Submissions was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 50,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. We actually already were warning our customers, as the plugin still has an unfixed vulnerability we found the last time it was closed. Looking for anything else, we found that some of the code in the plugin isn’t properly secured, though not in a way that looks to normally lead to a vulnerability. What we already knew about was a recent claim of a security issue in the plugin, which we hadn’t yet fully reviewed.

[Read more]

28 Feb 2020

Recently Closed WordPress Plugin with 60,000+ Installs Contains Multiple Vulnerabilities

The plugin Contact Form Submissions was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 60,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a CSV injection vulnerability and an authenticated SQL injection vulnerability, which can also exploited through cross-site request forgery (CSRF).

The CSV injection vulnerability involves a lack of escaping when using the plugin “Export to CSV” feature, as can be confirmed with the proof of concept below. [Read more]