Hi @jgold723,
Thanks for reaching out!
We are not currently aware of any vulnerabilities in the latest version of the plugin(v 1.7.8). Would you mind confirming if you are running this version of the plugin? If not, I’d recommend updating to the latest version.
Also, when you have a chance, could you please share a copy of the report from Wordfence so that we can further advise? I’d recommend redacting any sensitive information such as your site path before sharing the report.
I’m looking forward to your response. 🙂
Thanks!
Hi, thanks for getting back. The “Critical Vulnerability” flagged was this:
https://www.cve.org/CVERecord?id=CVE-2022-3574
Hey @jgold723 – Thanks for following this ticket. I’m Prashant filling in for Kenneth.
The CSV issue was already resolved WPForms v1.7.7, and if you’re using the latest version of WPForms, the CSV issue mentioned should be resolved and not present in your WPForms plugin.
Having said that, it seems that you’re using the paid version of WPForms. If you have any questions or need further assistance, please feel free to reach out via our contact page.
Kindly,
The issue seems to be happening with the free plugin, not just the paid plugin.
Both Wordfence & ManageWP are flagging several clients websites with Vulnerabilities related to this plugin. It started being flagged on November 15th, 2022 and ManageWP links this as the issue – https://patchstack.com/database/vulnerability/wpforms/wordpress-wpforms-pro-premium-plugin-1-7-6-csv-injection-vulnerability
Is there anyway the plugin author can reach out and have this fixed? Clients are getting fairly upset about seeing this warning.
Hey @368durham – When you have some time, can you please get in touch with us using our Contact Form we would be happy to assist you.
Kindly,
Sez
(@sezgower)
@prashantrai I’ve been dealing with the same security error as mentioned above. I’ve just submitted a message via the contact form (as you directed 368durham to do) – I hope that’s okay.
Cheers!
Hi all,
Been following updates for this ticket, but haven’t seen movement for a while, has this issue been resolved?
Thank you
Hey @sezgower – Thanks for submitting the support ticket and I apologize for the delay in getting back to your support request. @qs21 when you get a chance, please feel free to reach out using our contact form and our support team will assist you.
Kindly,
Hey @sezgower and @qs21 – I hope you reached out to us via the contact form. Since we haven’t heard back from you in a few days, so I’m going to go ahead and close this thread for now. But if you’d like us to assist further, please feel welcome to continue the conversation.
Thanks!
Sez
(@sezgower)
Hi @prashantrai
I reached out to the team via the contact form but was essentially told that “email support is only for users with an active WPForms licence”.
Really all I’m looking for is information about if there is a security risk in using the free plugin (i.e. why do we keep getting warned about it via ManageWP) and if there is a risk, will a fix also be applied to the free plugin?
Appreciate your help!
Cheers
Hey @sezgower – I checked the ticket you created, and also interacted with the development team, and there’s no security risk with the latest version of WPForms and the security reports our users mentioned were false positive reports.
In this case, the suggestion is to use the latest version of WPForms and then the reports can be ignored. If your clients are still concerned about the reports then I’d recommend reaching out to the ManageWP team to let them know about the false reports displaying on your site. It’s possible they may have an update or fix in place to prevent these false reports from appearing.
Kindly,
