WP Contact-Form Vulnerabilities

I have yet to hear from anyone that there’s been a problem here. Any insight to the actual issue and how to resolve it would be appreciated. I’m not a security pro and this is a plugin that I adopted so I don’t work on it often. I’ll be glad to post an update as soon as I can.

We suggest ditching this plugin. Its code is pure crap and half of the support request I got with a particular plugin was because of this shitty stuff. There are a gazillion contact form plugins available, pick a better one.

[...] WordPress-Plugins f

[...] stammt von BlogSecurity, wo regelmässig auch Sicherheitslücken von WordPress und dessen Plugins (WP Contact Form Plugin) aufgedeckt werden. Um das eigene Blog zu scannen, muss lediglich dieser Kommentar in die [...]

[...] Quelle: perun | Infos: BlogSecurity [...]

Would be nice to suggest a better one instead of saying there are millons better ones …. a link maybe ?

Isn’t this another case where locking down your wp-admin folder so only specific users can access it would be useful? Thesea ren’t WP users, but users defined in a .htaccess file.

David!

You wrote incorrect link ;-) (this link cab be written in another post about 2nd WP plugin if you want to write about it).

The post where you linked is about vulnerabilities in Contact Form ][. I wrote about vulnerability in WP-ContactForm in other post: http://websecurity.com.ua/2335/ (and I wrote about many other holes in WP-ContactForm last year in MoBiC project).

These are similar plugins (Contact Form ][ and WP-ContactForm) and they both have vulnerabilities. Contact Form ][ made by Chip Cuccio and WP-ContactForm made by Douglas Karr - they both made from original WP-ContactForm 1.5 and both have made similar holes (and some holes left from original), but also have their own holes. And both these plugins need to improve their security.

David, and once more about your post :-).

The actual contact form page that your users see is not vulnerable to these attacks.

It’s not correct statement. Because actual contact form page is vulnerable too – in both WP-ContactForm and Contact Form ][ plguins.

Abuse of Functionality hole in both plugins (which is working at the contact page) allow to send spam to arbitrary emails via sites with any of these plugins.

Insufficient Anti-automation hole in WP-ContactForm (due captcha bypass) allow to send any amount of messages to admin (and to any email in case of Abuse of Functionality hole). Insufficient Anti-automation in Contact Form ][ (due lack of captcha) also allow to send any amount of messages to admin (and to any email in case of Abuse of Functionality hole). In both case Insufficient Anti-automation hole is at the contact page.

Only Cross-Site Request Forgery and Cross-Site Scripting holes in both plugins are exist at options page (options-contactform.php). But even in these case there some persistent XSS there which can be used to attack visitors of site at contact page form. So there are a lot of holes in both of these plugins (like in original WP-ContactForm 1.5).

And don’t forget about XSS holes in WP-ContactForm 1.5 (http://websecurity.com.ua/948/) and Contact Form ][ (http://websecurity.com.ua/2328/) which are exist at contact form page. They can be used as for attacking admin and registered users of the site, as for attacking visitors of the site.

Douglas.

When I’ll find time I’ll write you recommendations about these holes.

Guys.

As I wrote above I found holes in three contact form plugins. All contact form plugins (like any other plugins) can have holes. So it’s better to attend to security and make security audit of all plugins and the whole sites.

Just create a page with your contact information. Make a special gmail email account just for your blog and let-er rip. I am really starting to stay away from plugins because of all these security issues. Look at joomla, nearly every plugin has some sort of security issue with it, wordpress to follow.