After submitting my website to a vulnerability scanning service, they came back and said that we have a “HTML form without CSRF protection.” After doing a little research a few websites mentioned using BPS, however I have not seen anything mentioned about CSRF on any support forms. The only mention of CSRF is in the plugin description. How do I know if CSRF protection is enabled? Do I have to sort of activate it by adding custom code? Any help on how to enable CSRF protection within the plugin would be very helpful. Thank you.
CSRF protection is included in the standard BPS .htaccess code/files and WordPress itself. Is the HTML form outside of WordPress? Is it part of another website? WordPress has these Form checking conditions available that should be used in all plugins and theme Forms:
if (isset($_POST['blah']) && current_user_can('manage_options')) {
check_admin_referer( 'blah' );
and then in the Form a nonce is used to check the Referer: wp_nonce_field('blah');
I doubt very seriously that Contact Form 7 has a CSRF vulnerability (give that about a 1 in 10,000 chance). What is much more likely is the vulnerability scanner is wrong (give that about a 98% chance). Scanners have a high failure/false flag ratio. What you should do is use 2 other scanners that have the capability to check for CSRF vulnerabilities or just assume the scanner is wrong because it is wrong.