A serious vulnerability in the Custom Contact Forms plugin has been announced

  • Resolved gvaslin

    (@gvaslin)


    10 years, 7 months ago

    What about this ? I just received it by mail :

    Dear WordPress Publisher,

    A serious vulnerability in the Custom Contact Forms plugin has been announced. While popular, this plugin appears to be infrequently updated and the developers were not very responsive in fixing the plugin, so it may be advisable to move to an alternative if possible.

    Regards,
    Mark Maunder
    Wordfence Creator & Feedjit Inc. CEO.

    https://www.ads-software.com/plugins/custom-contact-forms/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator James Huff

    (@macmanx)

    The plugin was last updated to 5.1.0.4 on August 4, and the change is listed as “Security fix.”

    Sucuri also posted https://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html yesterday and mentions, “the vulnerability affects every websites [sic] using the plugin’s 5.1.0.3 version and lower,” so it sounds like as long as you’re running 5.1.0.4, you have nothing to worry about.

    Thread Starter gvaslin

    (@gvaslin)

    Thanks for your quick answer !
    Everything is OK !

    Moderator James Huff

    (@macmanx)

    You’re welcome!

    I noticed a problem with this plugin. The other day it just stopped working my contact form wouldn’t show on the site. I am running an old version of it and I noticed some other problems were caused by it also.

    I have deleted that plugin and installed contact form 7. First I thought maybe it was because I was updated to the new WordPress version.

    Moderator James Huff

    (@macmanx)

    That’s an entirely separate issue. If you’re still having trouble with the plugin, please open your own thread: https://www.ads-software.com/support/plugin/custom-contact-forms

    “as long as you’re running 5.1.0.4, you have nothing to worry about.”

    I think this is very bad advice. You have a lot to worry about, when you use a plug-in that has been abandoned by the author.

    The author of this plugin did not fix this security problem. He was contacted about the problem and did not respond. This vulnerability only was fixed because people at WordPress itself stepped in and fixed it and published this 5.1.0.4 update, when the author was not responsive.

    What will happen the next time a new security vulnerability is revealed in this plug-in? As Mark Maunder mentions in his email, it is advisable to use a different contact form plug-in.

    – Scott

    Moderator James Huff

    (@macmanx)

    Nothing to worry about in relation to the currently reported security issue. There is always risk in using anything online, but you will definitely be better off with a different non-abandoned plugin, I agree.

    I know the vulnerability may have been “fixed”, however, I have had two sites affected by this vulnerability. In the plugin page an ad for a different forms plugin appeared. All my forms and submitted entries had vanished.

    Also, a new user with administrator privileges was added. If your forms have disappeared make sure you check your users directory and look for any suspicious or unknown users.

    I have not yet found any other problems.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘A serious vulnerability in the Custom Contact Forms plugin has been announced’ is closed to new replies.