Security features of VFB Pro easily bypassed
-
The functionality of the plugin is excellent and it’s easy to design and build new forms, but we found that the application was let down by serious flaws in the security implementations.
Specifically, we upgraded to VFB Pro for the reCAPTCHA support, but quickly identified after purchasing and installing the plugin that this, along with the CSRF protection and timestamp checks can all be trivially bypassed. We disclosed our findings directly to the developer and offered potential high-level solutions not being WordPress developers ourselves, but he seemed reluctant to address the issue. Not great for a paid product in my opinion.
The move to only support Invisible reCAPTCHA v3 instead of Invisible reCAPTCHA v2 is also not great. V3 is designed to be used where there is a further verification function available if the returned score is low, something that v2 has built in by way of the “select images challenge”. V3 without this potentially means visitors being wrongly marked as spam with no way to challenge this.
- The topic ‘Security features of VFB Pro easily bypassed’ is closed to new replies.
