WordPress Plugin Vulnerabilities
123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary Post Creation
Description
The cfp-new-post AJAX action uses the cfp_authenticate() function to attempt to verify the signature, however uses user controller input to do so which result in a bypass, then allowing unauthenticated attackers to create arbitrary posts.
Affects Plugins
References
Miscellaneous
Original Researcher
Rodrigo Escobar (Sucuri)
Verified
No
WPVDB ID
Timeline
Publicly Published
2021-01-20 (about 3 years ago)
Added
2021-01-20 (about 3 years ago)
Last Updated
2021-01-21 (about 3 years ago)