Scam Alert: plumsail.com — Unauthenticated Webhook Subscription Deletion — Missing Authentication + Confirmed Data Destruction
Company / Program: plumsail.com
Platform: Self-Hosted · Severity: high · Scam type: no-payout
Published:
Reported by: BUG HUNTER XYZ
The DELETE /api/submissions/{subscriberId} endpoint on forms.plumsail.com requires ZERO authentication.
Any unauthenticated attacker can permanently delete any webhook subscription by sending a single HTTP request with no credentials.
This was confirmed with a full lifecycle test: a real subscription was created with a valid Bearer token, then deleted by an anonymous request (no token), and the deletion was verified by successfully re-registering the same subscription parameters under a new ID — proving the original record was permanently removed from the database.
The OpenAPI specification (swagger.json) explicitly declares this endpoint with no security requirement (security: []) — confirming this is not accidental but a design omission.
They reply with:
Hello,
Thank you for the vulnerability report! Now, unfortunately, in this particular case, our tech team has deemed this an acceptable flaw, so we cannot offer compensation for the discovery - it’s just too specific and has little risk for the end user.
If you find anything else - please, let us know, we might be able to offer a bounty for another issue!
---
Sincerely,
Margo
Plumsail Team