[Plugin: Comment Notifier] 2.0.6 version security flaws. (4 posts)

  1. Frumph
    Posted 7 years ago #

    This version uses wp-query calls that doesnt prepare the database properly as well as not putting stripsplashs in the appropriate places.

    It also does not use _nonce for checking and validating so you can 'cheat' it by sending a form to the response of someones server who is running it and hack it by using the ID field, other fields are escaped but not properly.

    I do not suggest using it *at this time* until it's flaws are fixed if you are worried about being hacked.

    Emailed creator, been over a week and no response.


  2. Roy
    Posted 7 years ago #

    Just installed the thing. Thanks for the notification.

  3. marthasp6s
    Posted 6 years ago #

    I was not aware of the security hole. Has it been fixed now?

  4. leahzero
    Posted 6 years ago #

    I believe so. The author is aware of it, at least:


Topic Closed

This topic has been closed to new replies.

About this Topic