Home›Forums›Feature Requests›Volunteer Sign-Up Sheets – Feature Requests›security thingie›Reply To: security thingie
For the first part, I would argue how much of a “security” risk that is, since that hidden field is ONLY there if the user is logged in when filling out the sign-up form. So, unless you are a site that allows anyone to register, with no checks for spammers, it would not be an issue. Beyond that, the name and phone info is ONLY updated if it was previously NOT set for that particular user. So, no, a malicious user could not use it to change the name or phone number of somebody who already has that info set in their profile. Plus, everything is validated before the form is submitted, and then sanitized before the info is saved, so, worst case, if you allow malicious users to register on your site, and they can guess the user id of another user who doesn’t have that info already in their profile, they can add a fake name or phone number to that other user’s profile, which would never be shown to the public anyway in most WordPress setups. They can’t utilize that for any kind of malicious code.
For the second part, I’m happy to accept code additions & contributions to the project, especially since I have pretty much stopped all development on these free plugins, with the exceptions of bug & compatibility fixes.