Could spammers be injecting via the widget?

@adam_jack,

The Widget has been in the plugin for at least three years in it’s current form (presuming you are using the in-built one and not a standalone plugin version).

Currently it uses the same shortcode deployment as the main implementation of the Subscribe2 shortcode on a WordPress page.

I’m always happy to listen to security concerns and will always rapidly patch any confirmed vulnerabilities that are confirmed. So, if you learn more and can point out the location of an issue I’d be very pleased to know more.

I was using the built in one. Right now it is turned off but I am struggling to get details from the hosting provider. Without them I don’t know where to start looking, or what to think.

I mainly wanted to reach out in case this was a new addition and see if it were a likely candidate, but it seems not. It could be a coincidence that this spamming started shortly after I added it, however much as I don’t like believing in coincidence they can occur.

I’ve not taken a look at the code but if this was a potential target I was wondering if spammers could inject SMTP commands/extras into the e-mail field and somehow trick the local sender into doing more than sending to the subscriber. I don’t see any cruft in the database, but wondered if the widget code parsed the e-mail address for more than just the domain lowercasing (such as looking for <CR> or whitespace or ; or extra @ and such.) I don’t know WordPress internals to know if they do this. Any thoughts on that?

I’ll update this if I get any information.

@adam_jack,

White space is removed with a trim() and the resulting input is pushed through the is_email() function in WordPress. Adding in any commands results in an error message that an email has not been input.