Possible Security Flaw in Shortcode Forms

  • niravz

    (@niravz)


    8 years, 1 month ago

    Hi Team,

    I would like to know if there’s some misconfiguration at my end or is it an actual security flaw – but would it be right to write the entire test case here in a public post?

    The flaw that I found was when someone filled in the the Shortcode Form generated by WP-CRM (may be using CF7, I don’t know) allows for updation of data of other users (e.g. First Name, Last Name, Phone Number) without valid authorization.

    https://wordpress.org/plugins/wp-crm/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor MariaKravchenko

    (@mariakravchenko)

    8 years, 1 month ago

    Hello.

    You are right, this can be done, but this is not bug or security flaw.

    Our forms collecting user’s information for admin purposes, just for monitoring user’s activity.

    Forms do not have any security attributes in general, so if someone will fill it with wrong information, that can’t influence on security of your site.

    Regards.

    Thread Starter niravz

    (@niravz)

    8 years, 1 month ago

    Hi,

    Thanks for the info.

    So how do I unlink the form from saving data to the WP Users table? Because this is messing with the first_name/last_name of the WP users info table, and we don’t want open forms collecting the First Name, Last Name, etc. data update the user info randomly just because someone puts an existing email id.

    Plugin Contributor MariaKravchenko

    (@mariakravchenko)

    8 years, 1 month ago

    You do not need to use those attribute in the form than, create some other one for your form.

    Regards.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Possible Security Flaw in Shortcode Forms’ is closed to new replies.

Tags