Grade:
Issues the Plugin's Developer Should Address:
- User input looks to be used in a SQL statement without being validated, sanitized, or escaped, which could lead to SQL injection.
- The plugin contains a version of the third-party library Guzzle PSR-7 Message Implementation that the developer of the library says has a vulnerability labeled as "Improper header validation in guzzlehttp/psr7". The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a vulnerability labeled as "CURLOPT_HTTPAUTH option not cleared on change of origin". The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a vulnerability labeled as "Change in port should be considered a change in origin". The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a vulnerability labeled as "Failure to strip the Cookie header on change in host or HTTP downgrade". The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a vulnerability labeled as "Fix failure to strip Authorization header on HTTP downgrade". The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a vulnerability labeled as "Cross-domain cookie leakage". The plugin could be vulnerable due to that.
- Base64 obfuscated content detected.
- The plugin is not listed as being compatible with the latest version of WordPress, which indicates the plugin isn't being fully supported by the developer.
- The plugin was last updated over two years ago, so it doesn't appear to be supported by the developer anymore.
- The plugin doesn't contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.
- The plugin isn't listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.
- The plugin isn't listing in a security.txt file where a software bill of materials (SBOM), which provides information on what third-party software is included in the plugin, can be found. That limits the ability to access the security of that third-party software.
Resolving those issues would bring the plugin's grade up to an A+. You can notify the developer of the issues here. If the developer is interested in resolving those issues, we would be happy to help them to get started doing that.
You can also can consider using a similar plugin that is already more secure or one where the developer is interested in making their plugin more secure.
Additional Security Information
- Price for security review of version 1.0 of the plugin by Plugin Vulnerabilities: $200 USD
(Paying customers of the Plugin Vulnerabilities service select plugins to receive free reviews.)
Libraries Detected in Plugin
- Guzzle
- Version in Plugin: 6.5.5
- Latest Version of Library: 7.9.2
- This library's security policy on GitHub is directing vulnerability reports away from the developer.
- OpenSSF Scorecard results (?)
- Guzzle Promises
- Version in Plugin: 1.4.0
- Latest Version of Library: 2.0.4
- This library's security policy on GitHub is directing vulnerability reports away from the developer.
- OpenSSF Scorecard results (?)
- [+] Show The Rest of The Libraries Detected
Plugin Information
- Slug: aspose-contact-form
- Version: 1.0
- WordPress Plugin Directory listing
Highest Graded Contact Form Plugins
Fluent Forms B+
MetForm B+
Flo Forms B
Smart Forms B
Contact Form 7 C+
Formidable Forms C+
Gutena Forms C+
HTML Forms C+
WPForms Lite C+
WS Form LITE C
Share Scored Results for Aspose Contact Form
Share on BlueskyCheck Another Plugin
Check Plugin Not in WordPress Plugin Directory
Subscribers of our service can submit ZIP files of plugins that are not in the WordPress Plugin Directory to have them checked. (Not all issues can be checked for with uploaded plugins, as they require data not available with just the plugin's files.) You can sign up for the service for free here. For existing subscribers, once you are logged in to your account, return to this page to access that functionality.
The results of these gradings will not be stored.
About the Scorecard
The Plugin Security Scorecard grades plugins' handling of security based on data coming from the Plugin Vulnerabilities service, checking over the contents of the plugin, the WordPress.org API, and data generated specifically for the tool. It provides a useful, but incomplete, understanding of the security posture of the plugin and its developer. All the issues identified are ones that the developer of the plugin has the ability to address to get the grade of the plugin up to an A+.
Grades are calculated based on issues with any of the following:
- Plugins known to be vulnerable
- Plugin developers with track records of improperly handling security problems
- Security issues in the plugin that can be detected in an automated fashion
- Issues with the developer's developerment processes that suggest that their could be problems with security
- Plugins making unsupported, misleading, and false claims about their handling of security and the handling of security with WordPress
We are working to expand and refine the tools' ability to provide a good measure of plugins' security status. If you are aware of an additional security concern with this plugin that isn't represented here, please contact us. Other feedback on the tool is also welcome.
If you want a comprehensive understanding of the security of the plugin, a well-done security review is really needed to provide that.