vulnerability?

  • e dev

    (@efishinsea)


    1 day, 12 hours ago

    We have had an issue with a bot uploading multiple files directly to the code without submitting a form over 9000 times in the past 24 hours. I am working to mitigate this in a variety of ways, but there should be some checks added to the code to prevent upload without a form postback.

    There are no form submissions for these uploads which were originally brought to our attention when the host took our site offline due to the large volume of traffic to the server. It’s from a rotating list of IPs so blocking IPs directly hasn’t worked well.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter e dev

    (@efishinsea)

    1 day, 10 hours ago

    Also, I do not have ‘pdf’ as an allowed file type: 

    Allowed File Types: .3ds, .bw2, .dwg, .dxf, .fc2, .fc3, .jpg, .png, .ppj, .r2x, .rar, .rhx, .rvt, .skp, .zip.

    but can still upload pdfs.

    Plugin Author Glen Don Mongaya

    (@glenwpcoder)

    1 day, 9 hours ago

    Hello @efishinsea ,

    It’s likely that the issue was caused by an injection somewhere else and not through the form itself. Could you please provide a screenshot or the path of the affected files where the code was added (for example, wp-content/uploads/wpcf7_dnd_uploads)?

    Does your hosting provider have any logs or information available that could help us trace the source of the issue or identify the specific file that introduced it? if you have any information you can send directly through my email glenmongaya@gmail.com do not post it here.

    The plugin is actively maintained and regularly reviewed by security teams, including Patchstack and Wordfence. At this time, we are not aware of any issues related to this.

    Please let me know.

    Thread Starter e dev

    (@efishinsea)

    20 hours, 56 minutes ago

    done.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.