[Plugin: User Submitted Posts] Security issue with this pluign | ww.wp.xz.cn

Resolved maorb
(@maorb)

15 years, 1 month ago

I’ve checked a bit the code of your plugin, and it appears it is not using at all any security check of WordPress nonce.
A nonce field must be included in the form submission to prevent un-authorized submissions to the database.

http://ww.wp.xz.cn/extend/plugins/user-submitted-posts/

Viewing 5 replies - 1 through 5 (of 5 total)

Moogle Stiltzkin
(@moogle-stiltzkin)

14 years, 10 months ago

Hi Maorb,

I’m curious to know more. Is there a fix for this ?

Thread Starter maorb
(@maorb)

14 years, 10 months ago

The fix should be, of course, to re-write some of the plugin’s code.
I won’t recommend using this plugin in production sites, you can never know who can hack to your site through this security hole.

arni
(@arni)

14 years, 10 months ago

Good know, thanks. Uninstalled this plugin

Moogle Stiltzkin
(@moogle-stiltzkin)

14 years, 10 months ago

i like the idea of guest submitted articles, but at the cost of my security.

Thx for highlighting this maorb.

Moogle Stiltzkin
(@moogle-stiltzkin)

14 years, 10 months ago

I believe there is another plugin called

you can post 2

But that also has issues with security in the sense, the guest can upload any type of file and html coding they want @_@:

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘[Plugin: User Submitted Posts] Security issue with this pluign’ is closed to new replies.

5 replies
3 participants
Last reply from: Moogle Stiltzkin
Last activity: 14 years, 10 months ago
Status: resolved