WordPress Plugin Vulnerabilities
123ContactForm for WordPress <= 1.5.6 - Validation Bypass via Plugin Verification
Description
The cfp-connect AJAX call uses user input controlled data to perform the signature verification, attackers could craft these values ($message, $signature, $cf_pub_key) to bypass the validation mechanisms and inject their own public_key into the database.
Affects Plugins
References
Miscellaneous
Original Researcher
Rodrigo Escobar (Sucuri)
Verified
No
WPVDB ID
Timeline
Publicly Published
2021-01-20 (about 3 years ago)
Added
2021-01-20 (about 3 years ago)
Last Updated
2021-01-21 (about 3 years ago)