WordPress.org

Forums

Email Subscription
[resolved] Critical security issue (7 posts)

  1. Ozh
    Member
    Posted 2 years ago #

    The form to add emails don't use nonces: anyone can post any data to your blog's admin-ajax.php from any computer

    I highly recommend NOT TO USE that plugin.

    http://wordpress.org/extend/plugins/email-subscription/

  2. BenRacicot
    Member
    Posted 1 year ago #

    Whoa... has this been addressed?

  3. Tobias Nyholm
    Member
    Plugin Author

    Posted 1 year ago #

    Please @Ozh. That is not why nonces exist. Nonces protects you from CSRF attacks. You can always post any data to admin-ajax.php.

    Please take a class or two in computer security before writing such post.

  4. Ozh
    Member
    Posted 1 year ago #

    Duh........ Clueless guy I'm afraid :)

    Please read a couple article about WP nonces, you'll be smarter at the end of the day.

  5. Tobias Nyholm
    Member
    Plugin Author

    Posted 1 year ago #

    "WP nonces" does not differ from "regular nonces"... Instead of having a discussion about who is more of a douche. Make a PR with your patch and motivate what situation your patch will help.

    https://github.com/Nyholm/Wordpress-Email-Subscription

  6. Ozh
    Member
    Posted 1 year ago #

    I know *very well* what's a nonce, and I've been using nonces in WP since they were added in 2006, thank you.

    Needed a plugin similar to yours 10 months ago, so I tried yours and noticed that either anybody could POST to the admin form, or could make a user with sufficient privileges POST to that form without having the intention of doing so (CSRF). Can't remember but this was enough for me to ditch the plugin.

    Using nonces fixes both situations.

    Are you using nonces now?
    Has this issue been fixed in the meantime?
    I don't know and I honestly don't care. I don't have time to download, install and review your plugin again. If you have, good for you and your users. If you haven't, too bad.

    You're 10 months late as far as I'm concerned.

    I'm not a user of your plugin (because of said vulnerability 10 months ago) so I'm not going to spend some of my free time to check if this issue is still to be fixed and make a PR if this is still required, sorry.

    Bye.

  7. BenRacicot
    Member
    Posted 1 year ago #

    I personally use NONCES for my AJAX calls and I really like the idea of this plugin. Has this been addressed? If it has, great! Awesome plugin/ignore the haters, few plugins like this exist. please keep updating it and thanks!

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Email Subscription
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic