WordPress plugin that leverages SharedCount.com API to quickly retrieve, cache, and display various social sharing counts.
GNU General Public License v2.0
47
stars
16
forks
source link
Vulnerable to spam attack #131
Closed
astronautryan closed 8 months ago
Plugin version
1.4.1
Current Behavior
Vulnerable to spam when Email is enabled. Is being abused by spammers.
`021T To: xxxxxxxxxx@qq.com 268 Subject: =?UTF-8?B?WW91ciBmcmllbmQg546p6LWa5qOL54mM5ri45oiPLOi1ouixquWNjuWkpw==?= =?UTF-8?B?56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE1OO+8jOS7peWwj+WNmg==?= =?UTF-8?B?5aSnMTjpgIEyOO+8jOS+n+WPluenkuWIsOW4kOOAgiBoYXMgc2hhcmVkIGFu?= =?UTF-8?B?IGFydGljbGUgd2l0aCB5b3Uu?= 100 X-PHP-Script: xxxxx.com/wp-admin/admin-ajax.php for 180.178.45.18, 172.71.211.11, 180.178.45.18 093 X-PHP-Filename: /home/xxxxx/public_html/wp-admin/admin-ajax.php REMOTE_ADDR: 180.178.45.18 038 Date: Fri, 12 Jan 2024 23:19:28 +0000 041F From: XXXXXX noreply@xxxxxxxx 183R Reply-To: =?UTF-8?B?6LWi6LGq5Y2O5aSn56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE=?= =?UTF-8?B?NTjvvIzku6XlsI/ljZrlpKcxOOmAgTI477yM5L6f5Y+W56eS5Yiw5biQ44CC?= abuse@xxxxxxxxxxx 070I Message-ID: R6MnnPjTSjHKK8sEDTu7z7jndwnLfljUZ1URan4AM@xxxxxxxxx 067 X-Mailer: PHPMailer 6.8.1 (https://github.com/PHPMailer/PHPMailer) 018 MIME-Version: 1.0 040 Content-Type: text/plain; charset=UTF-8 032 Content-Transfer-Encoding: 8bit Received: from xxxxxxxxxx by xxxxxxxxxxxxxx with local (Exim 4.96.2) (envelope-from xxxxxx@xxxxxxxxxxxxxxxxxxxxx) id 1rOQoD-008hiv-0K for 332460278@qq.com; Fri, 12 Jan 2024 23:19:29 +0000 To: xxxxxxxxxxxxxx@qq.com Subject: =?UTF-8?B?WW91ciBmcmllbmQg546p6LWa5qOL54mM5ri45oiPLOi1ouixquWNjuWkpw==?= =?UTF-8?B?56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE1OO+8jOS7peWwj+WNmg==?= =?UTF-8?B?5aSnMTjpgIEyOO+8jOS+n+WPluenkuWIsOW4kOOAgiBoYXMgc2hhcmVkIGFu?= =?UTF-8?B?IGFydGljbGUgd2l0aCB5b3Uu?= X-PHP-Script: xxxxxxxxxx/wp-admin/admin-ajax.php for 180.178.45.18, 172.71.211.11, 180.178.45.18 X-PHP-Filename: /home/xxxxxxxxx/public_html/wp-admin/admin-ajax.php REMOTE_ADDR: 180.178.45.18 Date: Fri, 12 Jan 2024 23:19:28 +0000 From: Shake Guys noreply@xxxxxxxxxx Reply-To: =?UTF-8?B?6LWi6LGq5Y2O5aSn56S8LSA2NTc5MzEuY29tIC3pqbvlhornp5LpgIE=?= =?UTF-8?B?NTjvvIzku6XlsI/ljZrlpKcxOOmAgTI477yM5L6f5Y+W56eS5Yiw5biQ44CC?= abuse@xxxxxxxxxxxx Message-ID: R6MnnPjTSjHKK8sEDTu7z7jndwnLfljUZ1URan4AM@xxxxxxxxxxxxxxxx X-Mailer: PHPMailer 6.8.1 (https://github.com/PHPMailer/PHPMailer) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
7 Signs It’s (redacted) https://xxxxxxxxx/link-to-site-post/`
Expected Behavior
Possible Solution
Do not make the subject a variable, make it hard coded by the site owner, and require verification before the user can send unauthenticated.
Steps to Reproduce (for bugs)
1. 2. 3. 4.
Screenshots (if appropriate)