Login

Tag Archives: CodePeople

24 Jun 2019

Reflected Cross-Site Scripting (XSS) Vulnerability in CP Contact Form with PayPal

Back in March of 2016 we warned of the WordPress plugin developer CodePeople, which currently has 27 plugins in the Plugin Directory, due to repeated security issues in their plugins. Over three years later things don’t look to have changed. The changelog for the latest version of the plugin CP Contact Form with PayPal is “Fixed XSS vulnerability in CSS edition” in looking into that to see if there was a vulnerability we should be notifying customers of our service that were using that plugin about, we found that there is still a related vulnerability in the current version of the plugin, which should have been caught if they checked over the code in the plugin for similar issues. The vulnerability that was fixed is identical to one that they were notified was in another of their plugin’s in October.

The plugin register its main admin page to be accessible to users with the “manage_options” capability, which normally only Administrators have: [Read more]

10 Mar 2016

Developer Security Advisory: CodePeople

On February 8 a report of several vulnerabilities in CodePeople’s Booking Calendar Contact Form plugin was released. While reviewing those for inclusion in our data we found that issue 5, a cross-site request forgery (CSRF) vulnerability that permitted the deleting calendar items still existed. That own its own is not major issue since someone would have to want to cause calendars to be deleted and get someone logged in as admin to visit a page that would caused it to happen, so we didn’t find much concern with that. We did notify the developer and several days later it was fixed.

While that on its own seems to be a minimal issue, over the next month vulnerability were reported in two more of the plugins and in each case CodePeople failed to fully resolve the issues, leaving us to believe the security of their plugins should be a concern. [Read more]