WordPress.org

Ready to get started?Download WordPress

Forums

HMS Testimonials
[resolved] Multiple critical vulnerabilities found (14 posts)

  1. Rogue Coder
    Member
    Posted 11 months ago #

    I've spent a couple of hours today testing the plugin in my "lab" and I've found some critical vulnerabilities. Please provide me with an email address where I can send the information...

    http://wordpress.org/plugins/hms-testimonials/

  2. Jeff K
    Member
    Plugin Author

    Posted 11 months ago #

    Thanks.

    The form here sends it directly to me. If you want to send a "test" I will respond as soon as possible same with if you want to send what you found.

    http://hitmyserver.com/contact-us/

  3. Rogue Coder
    Member
    Posted 11 months ago #

    I will send another message through the contact-us form with all the content

  4. Jeff K
    Member
    Plugin Author

    Posted 11 months ago #

    Thanks

  5. Rogue Coder
    Member
    Posted 11 months ago #

    Your contact form is flawed... I get this when trying to send.

    ------
    Forbidden

    You don't have permission to access /contact/ on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
    -------

    You want me to disclose it here? If not give me somewhere else to send it. I don't think you would like this to be public before it's patched to be honest

  6. Jeff K
    Member
    Plugin Author

    Posted 11 months ago #

    The contact form is fixed now. Make sure to refresh the page.

    Of course I don't want you to release it to the public until I have fixed the issues.

  7. Rogue Coder
    Member
    Posted 11 months ago #

    Refreshed the page and still the same error

  8. Jeff K
    Member
    Plugin Author

    Posted 11 months ago #

    Odd I just tested it.

    Anyways:

    kreitje@ my domain

  9. Rogue Coder
    Member
    Posted 11 months ago #

    Roger.. I'll send it there

  10. Jeff K
    Member
    Plugin Author

    Posted 11 months ago #

    Thanks, I am pretty sure the security rules on the server are blocking what you stick in my comment form causing the 403.

    I have received your email.

  11. Rogue Coder
    Member
    Posted 11 months ago #

    Yeah might be.. That's good

  12. Jeff K
    Member
    Plugin Author

    Posted 11 months ago #

    An update has been pushed (version 2.0.11) securing these vulnerabilities.

    Thank you for sending these in along with proof of concepts.

    Jeff

  13. Rogue Coder
    Member
    Posted 11 months ago #

    You're welcome. I will upgrade my version and test it as well.

  14. Rogue Coder
    Member
    Posted 11 months ago #

    I just wanted to stop by and say that I've tested 2.0.11 and the vulnerabilities are indeed secured :)

Reply

You must log in to post.

About this Plugin

About this Topic

Tags