123ContactForm for WordPress <= 1.5.6 - Validation Bypass via Plugin Verification
Description
The cfp-connect AJAX call uses user input controlled data to perform the signature verification, attackers could craft these values ($message, $signature, $cf_pub_key) to bypass the validation mechanisms and inject their own public_key into the database.
Affects Plugins
No known fix - plugin closed
Classification
Type
BYPASS
Miscellaneous
Timeline
Publicly Published
2021-01-20 (about 3 months ago)
Added
2021-01-20 (about 3 months ago)
Last Updated
2021-01-21 (about 3 months ago)