Hello @laserstore !
I’m very sorry to hear that you’ve experienced this issue while using our plugin!
Just to confirm – in the Notifications section you have the notifications set to use a different address but the site still sends those using the default email?
2- Defender doesn’t have a specific feature for preventing SQL injections because those are very difficult to protect against from inside the WordPress code – if a plugin has a vulnerability of this kind, it’s most commonly due to incorrect coding which doesn’t use WordPress functions – those functions are designed in a way to prevent injection attacks through filtering. But if a plugin uses custom database access methods (custom unsafe queries), then there’s hardly anything that can be done to filter this out.
Due to this, the recommended way to handle those kinds of vulnerabilities is to use a server-side Web Application Firewall because it will be able to detect bad requests and prevent them from ever reaching WordPress. Your hosting may offer this kind of feature or you can use the free CloudFlare plan which adds a protection layer to your site.
On the Defender’s side you can still enact some protections which will help prevent those kinds of attacks, especially using the features in the Firewall section. For example you can ban bots which try to scan your site for vulnerabilities before trying out an attack – they will often get caught and get blocked before they are able to cause any harm. Same goes for login protection as some of the db injections can only be attempted when being logged in.
Best regards,
Pawel