Login

Tag Archives: Advanced CF7 DB

19 Oct 2022

iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins

A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of that. Take this recent forum topic for the plugin Advanced Contact Form 7 DB (Advanced CF7 DB) , which included a message coming from the paid iThemes Security Pro service claiming that there was a “known” vulnerability in the latest version of the plugin, version 1.9.1. Here is the message:

SEPT 30: Known issues in Advanced Contact form 7 DB v1.9.1 [Read more]

19 Oct 2022

Persistent Cross-Site Scripting (XSS) Vulnerability in Advanced Contact Form 7 DB (Advanced CF7 DB)

In a separate post we discuss in more detail at vague claims made that there has been a persistent cross-site scripting (XSS) vulnerability in the plugin Advanced Contact Form 7 DB (Advanced CF7 DB). Patchstack claimed that a vulnerability of that type was fixed in version 1.8.8, but the details provided only state:

[Read more]

24 Nov 2021

Closed WordPress Plugin With 90,000+ Installs Contains Authenticated Arbitrary File Deletion Vulnerability

Today, the WordPress plugin Advanced Contact form 7 DB (Advanced CF7 DB) was closed on WordPress Plugin Directory. Because that being one of the 1,000 most popular plugins in that directory (it has 90,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a vulnerability that allows anyone logged in to WordPress can delete arbitrary files from the website.

We tested and confirmed that our new firewall plugin for WordPress protected against the proof of concept below, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. [Read more]

19 Jul 2019

Closures of Very Popular WordPress Plugins, Week of July 19

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and one of those has not been reopened. [Read more]

17 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in Advanced CF7 DB (Advanced Contact form 7 DB)

Yesterday we noted the recently closed plugin Advanced CF7 DB (Advanced Contact form 7 DB) had numerous security issues. It looks like one of those may have led to it being closed, as subsequent to the closure a new version with the changelog “We have fixed SQL injection related bugs at the back office query.” was submitted. It is interesting that this seems to be rather minor in comparison with some of the other issues, as it looks like by default it is only directly accessible by Administrators.

[Read more]