WordPress.org

Ready to get started?Download WordPress

Forums

Email Subscription
[resolved] Critical security issue (7 posts)

  1. Ozh
    Member
    Posted 1 year ago #

    The form to add emails don't use nonces: anyone can post any data to your blog's admin-ajax.php from any computer

    I highly recommend NOT TO USE that plugin.

    http://wordpress.org/extend/plugins/email-subscription/

  2. BenRacicot
    Member
    Posted 5 months ago #

    Whoa... has this been addressed?

  3. Tobias Nyholm
    Member
    Plugin Author

    Posted 4 months ago #

    Please @Ozh. That is not why nonces exist. Nonces protects you from CSRF attacks. You can always post any data to admin-ajax.php.

    Please take a class or two in computer security before writing such post.

  4. Ozh
    Member
    Posted 4 months ago #

    Duh........ Clueless guy I'm afraid :)

    Please read a couple article about WP nonces, you'll be smarter at the end of the day.

  5. Tobias Nyholm
    Member
    Plugin Author

    Posted 4 months ago #

    "WP nonces" does not differ from "regular nonces"... Instead of having a discussion about who is more of a douche. Make a PR with your patch and motivate what situation your patch will help.

    https://github.com/Nyholm/Wordpress-Email-Subscription

  6. Ozh
    Member
    Posted 4 months ago #

    I know *very well* what's a nonce, and I've been using nonces in WP since they were added in 2006, thank you.

    Needed a plugin similar to yours 10 months ago, so I tried yours and noticed that either anybody could POST to the admin form, or could make a user with sufficient privileges POST to that form without having the intention of doing so (CSRF). Can't remember but this was enough for me to ditch the plugin.

    Using nonces fixes both situations.

    Are you using nonces now?
    Has this issue been fixed in the meantime?
    I don't know and I honestly don't care. I don't have time to download, install and review your plugin again. If you have, good for you and your users. If you haven't, too bad.

    You're 10 months late as far as I'm concerned.

    I'm not a user of your plugin (because of said vulnerability 10 months ago) so I'm not going to spend some of my free time to check if this issue is still to be fixed and make a PR if this is still required, sorry.

    Bye.

  7. BenRacicot
    Member
    Posted 4 months ago #

    I personally use NONCES for my AJAX calls and I really like the idea of this plugin. Has this been addressed? If it has, great! Awesome plugin/ignore the haters, few plugins like this exist. please keep updating it and thanks!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic