The changelog for the latest version of FormCraft Basic is “Fixed CSRF vulnerability”. Looking at the changes made in that version we found that cross-site request forgery (CSRF) protection had been added to various AJAX accessible functions that can be taken from the plugin’s admin page, which are normally only accessible by Administrators, as the “activate_plugins” capability is required.

…

[Read more]