Plugin inspection:

Contact Form DB

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

Findings

  • Allows deleting all records via a CSRF vulnerability: https://advisories.dxw.com/advisories/csrf-in-contact-form-db-allows-attacker-to-delete-all-stored-form-submissions/
  • Almost vulnerable to SQL injection in CF7DBPlugin.php line 490. It appears that the only thing preventing this is that by default WordPress automatically escapes quotes in REQUEST data using the wp_magic_quotes()function.
  • Uses an API to Google Drive that involves soliciting the user’s password instead of using OAuth 2.0. If the connection is not HTTPS, the user is not warned before entering their password, so user’s passwords may be send unencrypted.
  • It looks like an attempt has been made to secure the password security over insecure mediums: the password is encrypted with 3DES (a symmetric cipher) in JavaScript before being sent to the server. However, this will be ineffective since the key used is constant (“3fde789a”), and even if it wasn’t a constant an eavesdropper could easily get the key from the JavaScript which would be also sent unencrypted to the user.

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

  • Allows deleting all records via a CSRF vulnerability

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe request processing

Read more about our failure criteria.