WordPress › Support » [Plugin: Comment Notifier] 2.0.6 version security flaws.

Frumph
Member
Posted 2 years ago #

This version uses wp-query calls that doesnt prepare the database properly as well as not putting stripsplashs in the appropriate places.

It also does not use _nonce for checking and validating so you can 'cheat' it by sending a form to the response of someones server who is running it and hack it by using the ID field, other fields are escaped but not properly.

I do not suggest using it *at this time* until it's flaws are fixed if you are worried about being hacked.

Emailed creator, been over a week and no response.

http://wordpress.org/extend/plugins/comment-notifier/

Roy
Member
Posted 2 years ago #

Just installed the thing. Thanks for the notification.

marthasp6s
Member
Posted 2 years ago #

I was not aware of the security hole. Has it been fixed now?

leahzero
Member
Posted 2 years ago #

I believe so. The author is aware of it, at least:

http://www.satollo.net/comment-notifier-help#comment-330

WordPress.org

Forums

[Plugin: Comment Notifier] 2.0.6 version security flaws. (4 posts)

Topic Closed

About this Topic

Tags

Code is Poetry