I've seen old versions of this plugin receive security warnings from nvd.nist.gov. We have been using your plugin for many years and have never had any problems or received spam. I was surprised and tried to look at the details on nvd.nist.gov, but I can't see any details. I would like you to explain what it means.
Thank you for using this plugin. Also, thank you for your kind communication.
I'm Madoka BANZAI, the developer of this plugin.
The "nvd.nist.gov security warning" you are referring to is https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa %3Arainbow-link%3Aall_post_contact_form&status=FINAL%2CDEPRECATED, I think.
I would like to inform you as follows.
On September 21, 2024, I released v1.6.2, which is equipped with a "function to save attachment-file on the user's server". When I did that, I received a warning that "shell scripts can be uploaded via your plugin".
When I went to the site that issued the warning to read the report, I found that the warning was based on a "WordPress site installed on localhost." In other words, it wasn't a case of "one of my users' sites were compromised on some public server".
So, I said the sender of the warning, "I have a real demo site for this plugin ( www.secure-formmail.net ). Please try uploading the shell script to the real demo site". However, I was unable to receive a reply from the sender of the warning.
My servers has been attacked various "attacks" every second of every day, including not only the "the public demo site of this plugin (www.secure-formmail.net)" but also my company's official website ( Rainbow-Link.com ). However, no shell script has ever been uploaded to any server.
Until August 31, 2024, I had published the real demo site for this plugin on a general shared rental server overseas (a famous hosting service in the UK), even then, no shell script had been ever uploaded.
In other words, I have never been aware of any attacks described on nvd.nist.gov.
However, because I received this warning, WordPress.org refused to publish this plugin for about a month.
So, I added a process that would make WordPress.org happy while being locked out of WordPress.org. The upload history for that period is from v1.6.3 to v.1.7.3.
I called the file in which I wrote the program that performs the actual processing "core" and made it into a single file so that engineers could easily read it, but the official team of wordpress.org told me that there was no comment and it was "too long", so I separated the file and wrote comments. Based on this, I have decided to introduce various "security-related plugins" on the Admin-Window of this plugin. It was one of the developers of this "security-related plugins" that had issued a "security warning" to me first.
Please use the above as a reference.
Thank you for your continued patronage and peace of mind.
I'm Madoka BANZAI, the developer of this plugin.
The "nvd.nist.gov security warning" you are referring to is https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa %3Arainbow-link%3Aall_post_contact_form&status=FINAL%2CDEPRECATED, I think.
I would like to inform you as follows.
On September 21, 2024, I released v1.6.2, which is equipped with a "function to save attachment-file on the user's server". When I did that, I received a warning that "shell scripts can be uploaded via your plugin".
When I went to the site that issued the warning to read the report, I found that the warning was based on a "WordPress site installed on localhost." In other words, it wasn't a case of "one of my users' sites were compromised on some public server".
So, I said the sender of the warning, "I have a real demo site for this plugin ( www.secure-formmail.net ). Please try uploading the shell script to the real demo site". However, I was unable to receive a reply from the sender of the warning.
My servers has been attacked various "attacks" every second of every day, including not only the "the public demo site of this plugin (www.secure-formmail.net)" but also my company's official website ( Rainbow-Link.com ). However, no shell script has ever been uploaded to any server.
Until August 31, 2024, I had published the real demo site for this plugin on a general shared rental server overseas (a famous hosting service in the UK), even then, no shell script had been ever uploaded.
In other words, I have never been aware of any attacks described on nvd.nist.gov.
However, because I received this warning, WordPress.org refused to publish this plugin for about a month.
So, I added a process that would make WordPress.org happy while being locked out of WordPress.org. The upload history for that period is from v1.6.3 to v.1.7.3.
I called the file in which I wrote the program that performs the actual processing "core" and made it into a single file so that engineers could easily read it, but the official team of wordpress.org told me that there was no comment and it was "too long", so I separated the file and wrote comments. Based on this, I have decided to introduce various "security-related plugins" on the Admin-Window of this plugin. It was one of the developers of this "security-related plugins" that had issued a "security warning" to me first.
Please use the above as a reference.
Thank you for your continued patronage and peace of mind.
( 2024/12/28, 22:18:06, JST )
