Potential security vulnerability?

Hey Matt, subsequent to the MailPoet vulnerability discovered by Sucuri this week, we did an audit on all the plugins we use regularly and noticed something that might be a concern.

Looks like the only check you do on ‘save’ is is_admin() and that it’s running after ‘admin_init’. You do check_admin_referer, but nowhere do you verify that the user actually has any admin capabilities before making a whole bunch of writes to the DB.

And you’re not doing a lot of sanitization beyond esc_html() on the input from $REQUEST. Suggest you use filter_input() instead of $_REQUEST[], and then use the appropriate wp_kses() functions as well.

Finally, $wpdb->insert() takes three arguments, with the 3rd being a validation array of expected formats (%s, %d, %f) to help ensure the input matches.

Thought I’d pass on this feedback as your plugin just got red flagged over here. Hope you get some time for a quick update!

https://www.ads-software.com/plugins/visual-form-builder/