RealAct
commented
6 months ago I'm also very confused by this. Please clarify the situation.
There are several users also posting on the WordPress support page for this plugin, but it looks like the developers don't pay any attention to that page, which maybe they should as people will first go there before anywhere else to post major issues they encounter few know about this site.
Thanks in advanace!
mwright1701
Describe your question
Hi,
Are the maintainers aware that a random bug hunter has posted to Wordfense that there's a security issue with Zero Spam? https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/zero-spam/zero-spam-555-spam-protection-bypass There's basically no information provided by the "security researcher." The CVE is a placeholder and the References provided aren't actually helpful. The first is basically a circular reference, it simply points to another bug bounty site where they reported the same thing (again with no real details), and the second reference is a link to the Trac source code of an entirely different plugin. So I'm not sure if this is even a proper bug/issue the person found?
More confusingly, it looks like you fixed this issue in 5.5.2: https://github.com/Highfivery/zero-spam-for-wordpress/pull/368
But for some reason the bug hunter is reporting is that the vuln still there in 5.5.5. Similarly, hosting provider WP Engine is still showing that 5.5.6 has the vuln when I run their plugin checker.
Code of Conduct