WordPress Plugin Vulnerabilities
Elementor Contact Form DB < 1.6 - Unauthenticated & Unauthorised Form Submissions Export
Description
The sb_elem_cfd_download_csv function, registered as an admin_init() hook does not have capability and CSRF checks, allowing unauthenticated attackers to download arbitrary form submissions as a CSV. The data will include PII such as email addresses.
A CSRF check was added, but no capability one, so the vulnerability would still be exploitable if attackers managed to get the related nonce generated for their session.
Proof of Concept
https://example.com/wp-admin/admin-post.php?download_csv=1&form_name=358 https://example.com/wp-admin/admin-post.php?download_csv=1&form_id=NewForm
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-01-13 (about 3 years ago)
Added
2021-01-13 (about 3 years ago)
Last Updated
2021-01-13 (about 3 years ago)