WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: Comment Notifier] 2.0.6 version security flaws. (4 posts)

  1. Frumph
    Member
    Posted 4 years ago #

    This version uses wp-query calls that doesnt prepare the database properly as well as not putting stripsplashs in the appropriate places.

    It also does not use _nonce for checking and validating so you can 'cheat' it by sending a form to the response of someones server who is running it and hack it by using the ID field, other fields are escaped but not properly.

    I do not suggest using it *at this time* until it's flaws are fixed if you are worried about being hacked.

    Emailed creator, been over a week and no response.

    http://wordpress.org/extend/plugins/comment-notifier/

  2. Roy
    Member
    Posted 4 years ago #

    Just installed the thing. Thanks for the notification.

  3. marthasp6s
    Member
    Posted 4 years ago #

    I was not aware of the security hole. Has it been fixed now?

  4. leahzero
    Member
    Posted 4 years ago #

    I believe so. The author is aware of it, at least:

    http://www.satollo.net/comment-notifier-help#comment-330

Topic Closed

This topic has been closed to new replies.

About this Topic