Support » Plugin: Email Subscription » Critical security issue

Viewing 6 replies - 1 through 6 (of 6 total)
  • Whoa… has this been addressed?

    Plugin Author Tobias Nyholm


    Please @ozh. That is not why nonces exist. Nonces protects you from CSRF attacks. You can always post any data to admin-ajax.php.

    Please take a class or two in computer security before writing such post.

    Duh…….. Clueless guy I’m afraid 🙂

    Please read a couple article about WP nonces, you’ll be smarter at the end of the day.

    Plugin Author Tobias Nyholm


    “WP nonces” does not differ from “regular nonces”… Instead of having a discussion about who is more of a douche. Make a PR with your patch and motivate what situation your patch will help.

    I know *very well* what’s a nonce, and I’ve been using nonces in WP since they were added in 2006, thank you.

    Needed a plugin similar to yours 10 months ago, so I tried yours and noticed that either anybody could POST to the admin form, or could make a user with sufficient privileges POST to that form without having the intention of doing so (CSRF). Can’t remember but this was enough for me to ditch the plugin.

    Using nonces fixes both situations.

    Are you using nonces now?
    Has this issue been fixed in the meantime?
    I don’t know and I honestly don’t care. I don’t have time to download, install and review your plugin again. If you have, good for you and your users. If you haven’t, too bad.

    You’re 10 months late as far as I’m concerned.

    I’m not a user of your plugin (because of said vulnerability 10 months ago) so I’m not going to spend some of my free time to check if this issue is still to be fixed and make a PR if this is still required, sorry.


    I personally use NONCES for my AJAX calls and I really like the idea of this plugin. Has this been addressed? If it has, great! Awesome plugin/ignore the haters, few plugins like this exist. please keep updating it and thanks!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Critical security issue’ is closed to new replies.