Forminator < 1.24.1 – Unauthenticated Race Condition on poll vote | CVE 2023-2010

Description

The plugin does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.

Proof of Concept

1. Create a poll and publish a page with a poll.
2. Visit the page with the poll.
3. Using Burp and the Turbo Intruder extension, intercept the poll submission.
4. Send the request to Turbo Intruder using Action > Extensions > Turbo Intruder > Send to turbo intruder.
5. Drop the initial request and turn Intercept off.
6. In the Turbo Intruder window, add the header `S: %s`.
7. Use the code `examples/race.py`.
8. Click "Attack" at the bottom of the window. This will send multiple requests to the server at the exact same moment.
9. Log into the site and visit `/wp-admin/admin.php?page=forminator-reports&form_type=forminator_polls&form_id=5` (replacing the `form_id` parameter with a valid one).
10. Notice that more than one submission has been recorded.

Note that this cannot be replicated on a single-process, single-threaded WordPress server.