WARNING – SECURITY ISSUES

  • I purchased the PRO version because you can limit users to only message admin. This is for privacy of other users and security. Unfortunately, my users could not actually send messages to admin. Only reply to messages sent to admin. OK, I thought that might work for me, and deleted features of the site to make it work like that.

    The only thing is that any user, admin or not, can read all messages to all users from all users, creating a confidentiality problem and a huge security risk. The plugin should not have the work PRIVATE in the title if this is not the case.

    To do this simply copy the url of the message – log in with a different user with no connection to the message chain, and not an administrator, paste into your browser, and you see the private message of another user.

    The only thing that separates the url from one message to another is a four digit number, so someone who wanted to – even a subscriber with no permissions – could read all messages on the server without any knowledge of code.

    This is a much needed function on wordpress for those of us who use wordpress to manage client information – when are plugin developers going to realize that security is paramount for a lot of people, and wordpress is not just used for blogging about cats.

Viewing 1 replies (of 1 total)
  • Plugin Author Shamim Hasan

    (@shamim51)

    Thank you for your review.
    For wordpress policy, we offer PRO support in our website here https://www.shamimsplugins.com/wordpress/support/forum/front-end-pm-pro/

    For users send message to admin, there is a settings for that. We also provide support to understand settings and set as customers want to their website, If someone do not ask a support to set up, how we will understand that some customer having difficulty to setup. We can not provide support if we do not get any support request. Please go to our website and create a support topic so that we can assist you to set up how you want.

    as wordpress security vulnerability disclose policy, You first contact plugin author PRIVATELY to let him know that there is a security issue in his plugin, so that he can rectify that, So that other users do not have any security issue. Fortunately what you write here about security in NOT valid. only admin, message sender and message receivers can see that message, others will not be able to see that message. But this plugin is developer friendly, here is hooks to change almost anything of this plugin, If you can see any message that means some of your custom code changes this behavior. you can create a support request so that i can try to find what is wrong in your website.

    Thanks

Viewing 1 replies (of 1 total)
  • The topic ‘WARNING – SECURITY ISSUES’ is closed to new replies.