Where did you find that scan?
An RSS feed is read-only, nothing can be injected by it.
https://sitecheck.sucuri.net/ is a free scanner from a company that’s been credible in the community for many years.
Can anything be injected via Contact Form 7:
https://wordpress.org/plugins/contact-form-7/
Retina said that was a point of vulnerability. However, nothing is written to the database via the plugin only emailed, so this is confusing.
Retina is:
https://www.beyondtrust.com/products/retina-network-security-scanner/
Anything that adds to the database is a *point* of vulnerability, but it doesn’t mean that it *is* a vulnerability.
For example, your front door is a *point* of vulnerability because you *could* simply leave it open. It doesn’t mean that you *will* though. 😉
Regardless though, I recommend double-checking at https://wordpress.org/support/plugin/contact-form-7
Overall though, I’m not sure I trust that scanner. They’re apparently “the security industry’s most respected and validated vulnerability assessment tool,” but this is the first time I’ve heard of them. Overall it seems that they just excessively give red flags to anything that maybe could one day be vulnerability without seeing if it actually is. Under what they’ve reported so far (RSS feeds and Contact Forms), you might as well just have a static HTML site. 😉
I should add that we have our own recommend security measures here: https://codex.wordpress.org/Hardening_WordPress
Thanks, James. In regards to Retina, our IT folks, super-informed, stand behind it. I have always had some issues with the ‘Hardening WordPress’ codex page. I wish it was more prescriptive, especially with file permissions.
