Source: https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html

Gravity Forms is a WordPress plugin used originally for contact forms, but in a more general sense, it allows site owners to create forms to collect information. Gravity Forms can be used for contact forms, WordPress post creation, calculators, employment applications and more.

Sounds nice...except .. :

Gravity Forms v1.8.20 is now available via automatic update and the customer downloads page. This is an important security and maintenance release.
We recommend all users update as soon as possible. It is important to always keep WordPress, plugins and themes up to date as a matter of best practice.

  • Fixed a security issue with the file upload field.

In addition:

Critical Vulnerability Found in Popular WordPress Contact Form Plugin

Custom Contact Forms

The plugin's developers refused to fix the vulnerability after being notified by the security firm, but they did release an update to address the issue after Sucuri alerted the security team at WordPress. Users are advised to update their installations to version 5.1.0.4 or later as soon as possible.

Sucuri has advised WordPress website administrators to use other contact form plugins, such as JetPack and Gravity Forms, accusing the developers of Custom Contact Forms of not taking security seriously.

This means, you cannot just trust the developer of plugins to actually know how or to do their jobs.

 

If ever it were true "Caviet Emptor" has never been more true than here.

<< Back To Notices
Site Map | Login | Powered By: Techweavers Inc.