search

jaredatch / Shared-Counts

WordPress plugin that leverages SharedCount.com API to quickly retrieve, cache, and display various social sharing counts.
GNU General Public License v2.0
47 stars 16 forks source link

Vulnerable to spam attack #131

Closed astronautryan closed 8 months ago

astronautryan commented 8 months ago

Plugin version

1.4.1

Current Behavior

Vulnerable to spam when Email is enabled. Is being abused by spammers.

`021T To: xxxxxxxxxx@qq.com 268 Subject: =?UTF-8?B?WW91ciBmcmllbmQg546p6LWa5qOL54mM5ri45oiPLOi1ouixquWNjuWkpw==?= =?UTF-8?B?56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE1OO+8jOS7peWwj+WNmg==?= =?UTF-8?B?5aSnMTjpgIEyOO+8jOS+n+WPluenkuWIsOW4kOOAgiBoYXMgc2hhcmVkIGFu?= =?UTF-8?B?IGFydGljbGUgd2l0aCB5b3Uu?= 100 X-PHP-Script: xxxxx.com/wp-admin/admin-ajax.php for 180.178.45.18, 172.71.211.11, 180.178.45.18 093 X-PHP-Filename: /home/xxxxx/public_html/wp-admin/admin-ajax.php REMOTE_ADDR: 180.178.45.18 038 Date: Fri, 12 Jan 2024 23:19:28 +0000 041F From: XXXXXX noreply@xxxxxxxx 183R Reply-To: =?UTF-8?B?6LWi6LGq5Y2O5aSn56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE=?= =?UTF-8?B?NTjvvIzku6XlsI/ljZrlpKcxOOmAgTI477yM5L6f5Y+W56eS5Yiw5biQ44CC?= abuse@xxxxxxxxxxx 070I Message-ID: R6MnnPjTSjHKK8sEDTu7z7jndwnLfljUZ1URan4AM@xxxxxxxxx 067 X-Mailer: PHPMailer 6.8.1 (https://github.com/PHPMailer/PHPMailer) 018 MIME-Version: 1.0 040 Content-Type: text/plain; charset=UTF-8 032 Content-Transfer-Encoding: 8bit Received: from xxxxxxxxxx by xxxxxxxxxxxxxx with local (Exim 4.96.2) (envelope-from xxxxxx@xxxxxxxxxxxxxxxxxxxxx) id 1rOQoD-008hiv-0K for 332460278@qq.com; Fri, 12 Jan 2024 23:19:29 +0000 To: xxxxxxxxxxxxxx@qq.com Subject: =?UTF-8?B?WW91ciBmcmllbmQg546p6LWa5qOL54mM5ri45oiPLOi1ouixquWNjuWkpw==?= =?UTF-8?B?56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE1OO+8jOS7peWwj+WNmg==?= =?UTF-8?B?5aSnMTjpgIEyOO+8jOS+n+WPluenkuWIsOW4kOOAgiBoYXMgc2hhcmVkIGFu?= =?UTF-8?B?IGFydGljbGUgd2l0aCB5b3Uu?= X-PHP-Script: xxxxxxxxxx/wp-admin/admin-ajax.php for 180.178.45.18, 172.71.211.11, 180.178.45.18 X-PHP-Filename: /home/xxxxxxxxx/public_html/wp-admin/admin-ajax.php REMOTE_ADDR: 180.178.45.18 Date: Fri, 12 Jan 2024 23:19:28 +0000 From: Shake Guys noreply@xxxxxxxxxx Reply-To: =?UTF-8?B?6LWi6LGq5Y2O5aSn56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE=?= =?UTF-8?B?NTjvvIzku6XlsI/ljZrlpKcxOOmAgTI477yM5L6f5Y+W56eS5Yiw5biQ44CC?= abuse@xxxxxxxxxxxx Message-ID: R6MnnPjTSjHKK8sEDTu7z7jndwnLfljUZ1URan4AM@xxxxxxxxxxxxxxxx X-Mailer: PHPMailer 6.8.1 (https://github.com/PHPMailer/PHPMailer) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit

7 Signs It’s (redacted) https://xxxxxxxxx/link-to-site-post/`

Expected Behavior

Possible Solution

Do not make the subject a variable, make it hard coded by the site owner, and require verification before the user can send unauthenticated.

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Screenshots (if appropriate)