Title: Potential security vulnerability?
Last modified: August 21, 2016

---

# Potential security vulnerability?

 *  [Tom Auger](https://wordpress.org/support/users/tomauger/)
 * (@tomauger)
 * [11 years, 11 months ago](https://wordpress.org/support/topic/potential-security-vulnerability/)
 * Hey Matt, subsequent to the MailPoet vulnerability discovered by Sucuri this 
   week, we did an audit on all the plugins we use regularly and noticed something
   that might be a concern.
 * Looks like the only check you do on ‘save’ is is_admin() and that it’s running
   after ‘admin_init’. You do check_admin_referer, but nowhere do you verify that
   the user actually has any admin capabilities before making a whole bunch of writes
   to the DB.
 * And you’re not doing a lot of sanitization beyond esc_html() on the input from
   $REQUEST. Suggest you use filter_input() instead of $_REQUEST[], and then use
   the appropriate wp_kses() functions as well.
 * Finally, $wpdb->insert() takes three arguments, with the 3rd being a validation
   array of expected formats (%s, %d, %f) to help ensure the input matches.
 * Thought I’d pass on this feedback as your plugin just got red flagged over here.
   Hope you get some time for a quick update!
 * [https://wordpress.org/plugins/visual-form-builder/](https://wordpress.org/plugins/visual-form-builder/)

The topic ‘Potential security vulnerability?’ is closed to new replies.

 * ![](https://ps.w.org/visual-form-builder/assets/icon-256x256.png?rev=1205840)
 * [Visual Form Builder](https://wordpress.org/plugins/visual-form-builder/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/visual-form-builder/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/visual-form-builder/)
 * [Active Topics](https://wordpress.org/support/plugin/visual-form-builder/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/visual-form-builder/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/visual-form-builder/reviews/)

## Tags

 * [best practices](https://wordpress.org/support/topic-tag/best-practices/)

 * 0 replies
 * 1 participant
 * Last reply from: [Tom Auger](https://wordpress.org/support/users/tomauger/)
 * Last activity: [11 years, 11 months ago](https://wordpress.org/support/topic/potential-security-vulnerability/)
 * Status: not resolved