Comments on: WP-ContactForm HTML Injection Vulnerability

By: Michael

Michael — Sat, 22 Dec 2007 17:47:57 +0000

@mustlive… “And they need to fix these holes.”
Do you have any suggestions as to how I can fix these holes, or do I simply de-activate the plug-in?
More importantly: Is there a safe replacement plug-in?

Happy Christmas, etc.,
Michael

By: DK

DK — Thu, 20 Dec 2007 18:38:19 +0000

Mustlive, thanks for the heads up.

By: MustLive

MustLive — Thu, 20 Dec 2007 16:58:44 +0000

These are vulnerabilities in WP-ContactForm 2.0.7 (and previous 2.x versions). And recently I wrote (http://websecurity.com.ua/1641/) about XSS holes in WP-ContactForm 1.5 alpha (and previous 1.x versions) of the plugin.

So users of both original 1.x version and new 2.x version of the plugin are in risk. And they need to fix these holes.