WordPress Plugin Vulnerabilities

Contact Form Generator < 2.5.5 - Multiple Cross-Site Request Forgery (CSRF)

Description

The plugin does not have any CSRF checks in place on its creating/editing/deleting Forms/Fields and Templates actions, allowing attacker to make logged in admin perform such actions. Furthermore, the plugin also does not sanitise and escape any data, which could lead to Stored XSS issue as well.

The original issue is from 2015, and was about CSRF on the delete action, however the current latest version (2.1.86) is still affected, and CSRF is affecting any action, as well as allowing for XSS attacks.

Version 2.5.0 attempts to thwart CSRF attacks with a homemade request token validation routine, but uses very weak pseudorandom generators to do so, making it still exploitable.

Proof of Concept

Affects Plugins

Plugin icon
contact-form-generator
Fixed in 2.5.5

References

CVE
CVE-2015-6965
Exploitdb
38086
URL
https://packetstormsecurity.com/files/#133463/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
31b8ef7a-8aa2-4195-981b-1541b68f6c09

Timeline

Publicly Published
2015-09-07 (about 10 years ago)
Added
2015-09-08 (about 10 years ago)
Last Updated
2023-07-11 (about 2 years ago)

Other

Published
Title
Published
2024-08-16
Title
WP User Manager < 2.9.11 - Cross-Site Request Forgery
Published
2025-06-19
Title
WP Front User Submit / Front Editor <= 5.0.6 - Cross-Site Request Forgery
Published
2023-02-09
Title
ImageMagick Engine < 1.7.6 - PHAR Deserialization via CSRF
Published
2025-09-05
Title
To Lead For Salesforce <= 2.7.3.9 - Cross-Site Request Forgery
Published
2025-01-16
Title
WordPress Logging Service <= 1.5.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting