WordPress Plugin Vulnerabilities
Forminator < 1.24.1 - Unauthenticated Race Condition on poll vote
Description
The plugin does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.
Proof of Concept
1. Create a poll and publish a page with a poll. 2. Visit the page with the poll. 3. Using Burp and the Turbo Intruder extension, intercept the poll submission. 4. Send the request to Turbo Intruder using Action > Extensions > Turbo Intruder > Send to turbo intruder. 5. Drop the initial request and turn Intercept off. 6. In the Turbo Intruder window, add the header `S: %s`. 7. Use the code `examples/race.py`. 8. Click "Attack" at the bottom of the window. This will send multiple requests to the server at the exact same moment. 9. Log into the site and visit `/wp-admin/admin.php?page=forminator-reports&form_type=forminator_polls&form_id=5` (replacing the `form_id` parameter with a valid one). 10. Notice that more than one submission has been recorded. Note that this cannot be replicated on a single-process, single-threaded WordPress server.
Affects Plugins
Fixed in 1.24.1 References
CVE
Classification
Type
RACE CONDITION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Amirmohammad vakili
Submitter
captain_hook
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-06-12 (about 11 months ago)
Added
2023-06-12 (about 11 months ago)
Last Updated
2023-06-12 (about 11 months ago)
WPScan 