Title: Export – Security Issue Resolved? Last modified: June 12, 2019 --- # Export – Security Issue Resolved? * [Fabbstar](https://wordpress.org/support/users/fabbstar/) * (@fabbstar) * [6 years, 11 months ago](https://wordpress.org/support/topic/export-security-issue-resolved/) * Hi there, * I use the original CFDB plugin and would consider using your version however one of the setbacks of the plugin is the export feature. * The example below is what the export feature generates, i.e. a url with the export format, form name and you can then append other show/hide parameters: * [http://mywordpress.com/wp-admin/admin-ajax.php?action=cfdb-export&form=Form+Name&enc=JSON&format=map](http://mywordpress.com/wp-admin/admin-ajax.php?action=cfdb-export&form=Form+Name&enc=JSON&format=map) * The problem is, if you are looking to use the export feature to let a user see all of their submissions i.e. by appending the parameter as follows: * [http://mywordpress.com/wp-admin/admin-ajax.php?action=cfdb-export&form=Form+Name&enc=JSON&format=map&User=DemoUsername](http://mywordpress.com/wp-admin/admin-ajax.php?action=cfdb-export&form=Form+Name&enc=JSON&format=map&User=DemoUsername) * Then the user can simply delete the “&User=DemoUsername” from the url and export all of the form data. * If this something you have fixed or are looking to fix? * For example, could it work in the same way that an API does, i.e. the export feature only works if the “&User=DemoUsername” is present in the url along with the users Username and Password? * Thanks, S Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Author [contactic](https://wordpress.org/support/users/contactic/) * (@contactic) * [6 years, 10 months ago](https://wordpress.org/support/topic/export-security-issue-resolved/#post-11782093) * Hello Fabbstar, * Can you tell us from where User=DemoUsername is coming from when you generate the export url ? What do you click on to get this parameter ? Is this a ‘transfom’ function ? * The Contactic team * Thread Starter [Fabbstar](https://wordpress.org/support/users/fabbstar/) * (@fabbstar) * [6 years, 10 months ago](https://wordpress.org/support/topic/export-security-issue-resolved/#post-11790050) * Hey, * That’s just an example field which you could use to provide a user a feed of their submissions, you would need to filter results for that user only and so as an example, I have assumed there is a column in the form names ‘User’, which stores the Username of the user. * The issue is when you create the export link, all somebody needs to do is remove this filter from the url and then they can export all of the forms data. * I would be keen to know if there is a plan to make this less vulnerable. - This reply was modified 6 years, 10 months ago by [Fabbstar](https://wordpress.org/support/users/fabbstar/). * Plugin Author [contactic](https://wordpress.org/support/users/contactic/) * (@contactic) * [6 years, 10 months ago](https://wordpress.org/support/topic/export-security-issue-resolved/#post-11790947) * Well… i think that we can’t talk about a **vulnerability** here since we are arguing about a filter someone could remove… or not. And a filter… well… does his filtering job when it’s present… or not. * Anyhow, i think that you would be interested in a feature, capable of generating obfuscated export urls (with a filter inside) that you would share with someone. And this obfuscated link would obviously not be altered (cause it would be a unique string… refering to a particular export) * Am i right ? * _[ [Signature deleted](https://wordpress.org/support/guidelines/#do-not-spam)]_ - This reply was modified 6 years, 10 months ago by [contactic](https://wordpress.org/support/users/contactic/). - This reply was modified 6 years, 10 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [6 years, 10 months ago](https://wordpress.org/support/topic/export-security-issue-resolved/#post-11792431) * Side note to [@contactic](https://wordpress.org/support/users/contactic/) Thanks for the great support but please lose the signature. That’s prohibited in these forums as it’s been horribly abused in the past by others. * > The Contactic team * Yes, bad people ruin it for others. No, I am not kidding. Please refrain from that. * [https://wordpress.org/support/guidelines/#avoid-signatures](https://wordpress.org/support/guidelines/#avoid-signatures) * Plugin Author [contactic](https://wordpress.org/support/users/contactic/) * (@contactic) * [6 years, 10 months ago](https://wordpress.org/support/topic/export-security-issue-resolved/#post-11792498) * [@jdembowski](https://wordpress.org/support/users/jdembowski/) : got it and makes sense 😉 Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Export – Security Issue Resolved?’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/contactic_a6b3bf.svg) * [Contact Form 7 Database + | CFDB+](https://wordpress.org/plugins/contactic/) * [Frequently Asked Questions](https://wordpress.org/plugins/contactic/#faq) * [Support Threads](https://wordpress.org/support/plugin/contactic/) * [Active Topics](https://wordpress.org/support/plugin/contactic/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/contactic/unresolved/) * [Reviews](https://wordpress.org/support/plugin/contactic/reviews/) * 4 replies * 3 participants * Last reply from: [contactic](https://wordpress.org/support/users/contactic/) * Last activity: [6 years, 10 months ago](https://wordpress.org/support/topic/export-security-issue-resolved/#post-11792498) * Status: not resolved