- Allows deleting all records via a CSRF vulnerability: https://advisories.dxw.com/advisories/csrf-in-contact-form-db-allows-attacker-to-delete-all-stored-form-submissions/
- Almost vulnerable to SQL injection in CF7DBPlugin.php line 490. It appears that the only thing preventing this is that by default WordPress automatically escapes quotes in REQUEST data using the
- Uses an API to Google Drive that involves soliciting the user’s password instead of using OAuth 2.0. If the connection is not HTTPS, the user is not warned before entering their password, so user’s passwords may be send unencrypted.
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
- Allows deleting all records via a CSRF vulnerability