Hi Tonya,
Thank you, I am doing just fine 🙂 I hope you are all right too.
1. Well it should indeed be shown first. A did a bit of digging, and there was actually an issue with the relevance calculation in the title query with the regular engine. It must have been there for a long time, as I don’t recall making a change in that section for while. Anyways, please try it now and let me know. I will then make this a permanent change in the upcoming release.
2. That message does not make sense unfortunately. I mean I understand what CSRF is, and what form it refers to, but I don’t get how these things are related in any way. If you have any more information (malicious inputs, methodology, replication etc..), please let me know and I will test and patch if required. If there are no other details, you can safely mark it as false positive.
To be honest with you, I am not a fan of these automated programmatical security tests, the amount of invalidated false positives reported are astonishing. I mean they are heuristically looking for simple programmatical errors or unintentional mistakes, and in almost all of the time report completely safe codes as malicious by detecting parts similar to other malicious codes – but of course cannot recognize more complex structures. For non-technical users these are still frigthening, when most of the time it is simply nothing. I have a feeling some some security plugins use these as a selling point for a subscription, I can only hope it is not the case.