Subscribe2

Sends a list of subscribers emails when you publish new posts.

More information »

No issues found

Confidence: Medium This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe.

More information about this recommendation

Warning: old version

This recommendation applies to version 10.21 of this plugin, but the most recent version is 10.22.1. These findings may no longer be correct.

Findings

  • Doesn’t escape all HTML
  • Records the IP address of users who submit subscription requests, but the IP address is inserted into the subscription form as a hidden field meaning that the IP address can be changed before submission
    • This means that when admin users export the subscriptions to CSV they will see the incorrect IP addresses (probably not a security issue)
    • The plugin attempts to limit the rate at which the form can be submitted from a single IP (when a filter called s2_lockout returns greater than zero, which it doesn’t by default). This flaw would prevent that rate limiting from¬†functioning when faced with a malicious user

We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.

Please read this site's terms of service before taking any action based on information published here.

Testers
Tom Adams
Last revised
July 25, 2017
Versions tested
10.21
Plugin homepage
Subscribe2
Other versions

None listed