WordPress Plugin Vulnerabilities

Contact Form Builder <= 1.0.68 - CSRF to LFI

Description

The WDContactFormBuilder WordPress plugin was affected by a CSRF to LFI security vulnerability.

Affects Plugins

Plugin icon
contact-form-builder
Fixed in 1.0.69

References

CVE
CVE-2019-11557
URL
https://packetstormsecurity.com/files/#152579/
URL
https://plugins.trac.wordpress.org/changeset/2070430/contact-form-builder
URL
https://plugins.trac.wordpress.org/changeset/2053978/contact-form-builder

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Panagiotis Vagenas
Submitter
Ryan Dewhurst
Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
8aac684c-6069-44c1-8bd0-7deeb0d6f322

Timeline

Publicly Published
2019-04-23 (about 7 years ago)
Added
2019-04-24 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-11-14
Title
Wordpress File Upload < 4.24.1 - Cross-Site Request Forgery
Published
2023-03-29
Title
GMAce <= 1.5.2 - Arbitrary File Creation/Deletion/Update via CSRF
Published
2025-06-05
Title
WP Table Builder < 2.0.7 - Cross-Site Request Forgery
Published
2024-03-25
Title
BizPrint < 4.5.6 - Cross-Site Request Forgery to Cross-Site Scripting via process.php
Published
2021-06-30
Title
YITH Request a Quote for WooCommerce < 1.6.4 - Unauthorised AJAX call via CSRF