Title: Possible Security Flaw in Shortcode Forms
Last modified: August 31, 2016

---

# Possible Security Flaw in Shortcode Forms

 *  [niravz](https://wordpress.org/support/users/niravz/)
 * (@niravz)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/possible-security-flaw-in-shortcode-forms/)
 * Hi Team,
 * I would like to know if there’s some misconfiguration at my end or is it an actual
   security flaw – but would it be right to write the entire test case here in a
   public post?
 * The flaw that I found was when someone filled in the the Shortcode Form generated
   by WP-CRM (may be using CF7, I don’t know) allows for updation of data of other
   users (e.g. First Name, Last Name, Phone Number) without valid authorization.
 * [https://wordpress.org/plugins/wp-crm/](https://wordpress.org/plugins/wp-crm/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Plugin Contributor [MariaKravchenko](https://wordpress.org/support/users/mariakravchenko/)
 * (@mariakravchenko)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/possible-security-flaw-in-shortcode-forms/#post-7111667)
 * Hello.
 * You are right, this can be done, but this is not bug or security flaw.
 * Our forms collecting user’s information for admin purposes, just for monitoring
   user’s activity.
 * Forms do not have any security attributes in general, so if someone will fill
   it with wrong information, that can’t influence on security of your site.
 * Regards.
 *  Thread Starter [niravz](https://wordpress.org/support/users/niravz/)
 * (@niravz)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/possible-security-flaw-in-shortcode-forms/#post-7111878)
 * Hi,
 * Thanks for the info.
 * So how do I unlink the form from saving data to the WP Users table? Because this
   is messing with the first_name/last_name of the WP users info table, and we don’t
   want open forms collecting the First Name, Last Name, etc. data update the user
   info randomly just because someone puts an existing email id.
 *  Plugin Contributor [MariaKravchenko](https://wordpress.org/support/users/mariakravchenko/)
 * (@mariakravchenko)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/possible-security-flaw-in-shortcode-forms/#post-7111880)
 * You do not need to use those attribute in the form than, create some other one
   for your form.
 * Regards.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Possible Security Flaw in Shortcode Forms’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wp-crm_c36510.svg)
 * [WP-CRM - Customer Relations Management for WordPress](https://wordpress.org/plugins/wp-crm/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-crm/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-crm/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-crm/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-crm/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-crm/reviews/)

## Tags

 * [forms](https://wordpress.org/support/topic-tag/forms/)

 * 3 replies
 * 2 participants
 * Last reply from: [MariaKravchenko](https://wordpress.org/support/users/mariakravchenko/)
 * Last activity: [10 years, 3 months ago](https://wordpress.org/support/topic/possible-security-flaw-in-shortcode-forms/#post-7111880)
 * Status: not resolved