This plugin is best front-end tool to allow users to upload file with contact form. File uploader can be configured in many ways.
I have run this plugin for a while now and had my site compromised last week because of it.
The plugin settings allows you to choose which file types are allowed to be uploaded. Even though this was set to allow only .pdf and .zip files to be uploaded, an attacker was able to exploit the file upload system, uploading a php script which then gave them full access to the site. These files were found within the folder where files are uploaded to.
After discovering this I attempted to do the same and was able to upload a .php script to my site and execute it without any resistance. This is a major flaw within the plugin and anyone running it should deactivate it immediately until it has been fixed. A simple google search for lays out the exploit and shows its been around for quite a while. A number of new updates for the plugin have been made since its discovery, but no fix.
Big problem! I can't create a form, i can't modify an old one. I'm using wordpress 3.6 with multi-site.
I made a comment in the support forum for this plugin a month ago about a small issue, with which the plugin was still functional. I did not receive any feedback and after just installing the update for the latest version have more problems so that now the plugin doesn't serve it's purpose at all. See support thread for spokethethunder.
You must log in to submit a review. You can also log in or register using the form near the top of this page.