This version uses wp-query calls that doesnt prepare the database properly as well as not putting stripsplashs in the appropriate places.
It also does not use _nonce for checking and validating so you can ‘cheat’ it by sending a form to the response of someones server who is running it and hack it by using the ID field, other fields are escaped but not properly.
I do not suggest using it *at this time* until it’s flaws are fixed if you are worried about being hacked.
Emailed creator, been over a week and no response.
- The topic ‘[Plugin: Comment Notifier] 2.0.6 version security flaws.’ is closed to new replies.