Form Uploads Not Protected – Exposed to Web

  • Resolved tontov

    (@tontov)


    1 year, 11 months ago

    Hi, I recently became an admin on a site that is using WP Forms Pro (I do not have access to the Pro credentials so can’t seek support through there.)

    I did discover that folks have used the form to upload docs, many of which have sensitive, personally identifiable info that’s available to anyone to view with the direct link. However, the subfolders are restricted.

    For example:

    Example dot com/wp-content/uploads/wpforms/SameRepeatingNumber-letterHash/uploadeddocument IS viewable on web to anyone

    But, Example dot com/wp-content/uploads/wpforms/SameRepeatingNumber-letterHash/ IS NOT viewable.

    It’s unlikely anyone will get a direct link, but this seems like a potential vulnerability. How can we be assured that these docs will not be crawled nor indexed? Seems to me that best option is to restrict all docs in the subfolder but I’m not seeing an obvious way to do that. And you’d think it’d be built in to the plugin. I’m not seeing anything to suggest prior admin used anything other than default settings.

    I’m not sharing the site for privacy reasons. Also, as I said, I just became an admin on this site so lack some access and knowledge.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Hi, I recently became an admin on a site that is using WP Forms Pro (I do not have access to the Pro credentials so can’t seek support through there.)

    That doesn’t really matter; the developer would risk getting into real trouble if they support “pro” users here.

    For pro or commercial product support please contact the developer directly on their site. This includes any pre-sales topics as well.

    https://wpforms.com/contact/

    As the developer is aware, commercial products are not supported in these forums. I am sure they will have no problem supporting you there.

    Thread Starter tontov

    (@tontov)

    Thanks for the guidance, Jan, I did not realize the commercial support limitation here. I did contact them through their site as a general inquiry.

    The issue I’m seeing may not be limited to Pro users so a follow up on this forum may be useful as well.

    Hey @tontov – Thanks for contacting us!

    The File upload field and the uploaded files URL in the context that you’ve described is part of the paid version of WPForms. I see you’ve created a ticket using our contact page and we are already assisting you with the question.

    I apologize that we’re not able to respond to paid version questions here in the www.ads-software.com support forums for the free version, in that regard, I’m going to close this ticket. If you have any questions, please feel free to use our Contact Page.

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Form Uploads Not Protected – Exposed to Web’ is closed to new replies.