Support » Plugin: Custom Contact Forms » Spam gateway – do not use "as-is"

  • This plugin looks absolutely fantastic, and on an internal wordpress site could be really useful. Unfortunately the plugin, as written, provides a route for spam to be sent to anyone via the website it’s installed into.

    As such I cannot recommend it at the moment.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Taylor Lovett


    The plugin includes recaptcha support….

    The recaptcha does nothing whatsoever to mitigate the problem. CCF is still a Spam gateway.

    Sadly even with version I can still route spam through anyone else’s Custom Contact Forms. No login required.

    I added the reCaptcha keys but there is no option in the dropdown to add the reCaptcha. All I get is the poor “captcha” option.

    The Google reCaptcha doesn’t work because there is no entry in the wp_customcontactforms_fields SQL table for it. So no it doesn’t have “reCaptcha” but only a simple “captcha” which all spam bots can get around.

    The captcha, recaptcha, whatever is completely irrelevant. The HTML code that is generated by the form makes it trivial for a third party to send email through your mailer. This completely bypasses the validation.

    Want an example? Let me know your WordPress contact page and an (obfuscated) target email address I should hit, and I’ll demonstrate.


    @roaima: I completely believe you. No worries. I’ve already looked at the code and can see it.

    @roaima: I am interesting fixing this problem- globally if I can, or at least locking down an installation if I cannot.

    Unfortunately, I do not see a way to email you directly. Please send me your contact info at M8R-im95d4(at) and I will email you back from a proper address for details.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Spam gateway – do not use "as-is"’ is closed to new replies.