Vulnerability issue on 2.4.1

I did and its patched. They just don’t want to change the status.

Hello @robins9845,

You can increase the basic security of your form(s) by putting them in an encoder.
I initiated this extension (execute shortcodes in the encoder https://www.ads-software.com/support/topic/encoding-cf7-shortcode/ ) at the time and have been using it on all websites ever since. For contact forms as well as for logins or even entire forums.
Feel free to try it out.

1) https://www.ads-software.com/plugins/email-encoder-bundle/

[eeb_protect_content protection_text="Please activate javascript to see the protected form." method="rot13" do_shortcode="yes"]
[your-CF7-shortcode]
[/eeb_protect_content]

Change [your-CF7-shortcode] to Yours!

It is not a fix for the named bug, but at least it is no longer possible for scripts to fire your form. It requires real browser access, which at least significantly reduces the number of possible attackers.
If you also use the bad bot plugin, for example, dubious bots will also be blocked…

2) https://www.ads-software.com/plugins/blackhole-bad-bots/

cheers!

This has nothing to do with the so called vulnerability. The security issue that was pointed out by Patchstack, is completely harmless. The only problem was that someone who is logged in as a subscriber could dismiss the notice saying “you need to install CF7 if you want to use Conditional Fields for CF7”. This is no longer possible. Now you need to have at least the permission to update plugins, before you can dismiss this notice. That’s all. The plugin doesn’t expose any backdoors.

The reason they still don’t want to mark it as resolved, is because I don’t check for a nonce. Which means that an administrator could disable the notice without actually clicking the dismiss button. OK, it’s annoying, but definitely not a security issue so I’m not going to handle this with any priority.