Skip to content

Features
Pricing

Search

WordPress Plugin Vulnerabilities

123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary Post Creation

Description

The cfp-new-post AJAX action uses the cfp_authenticate() function to attempt to verify the signature, however uses user controller input to do so which result in a bypass, then allowing unauthenticated attackers to create arbitrary posts.

Affects Plugins

123contactform-for-wordpress

No known fix

References

URL

https://blog.sucuri.net/2021/01/critical-vulnerabilities-in-123contactform-for-wordpress-wordpress-plugin.html

Miscellaneous

Original Researcher

Rodrigo Escobar (Sucuri)

Verified

No

WPVDB ID

d3ef5644-1044-492f-ac23-ea90b32f1e77

Timeline

Publicly Published

2021-01-20 (about 3 years ago)

Added

2021-01-20 (about 3 years ago)

Last Updated

2021-01-21 (about 3 years ago)

Other

Published

Title

Published

2016-12-08

Title

WooCommerce Email Test 1.5 - Order Information Disclosure

Published

2023-11-16

Title

AppPresser < 4.3.0 - Insecure Password Reset Mechanism

Published

2020-01-08

Title

Minimal Coming Soon & Maintenance Mode < 2.17 - Insecure permissions: Export Settings/Theme Change

Published

2023-05-24

Title

Upload Resume <= 1.2.0 - Captcha Bypass

Published

2023-06-12

Title

Protect WP Admin < 4.0 - Unauthenticated Protection Bypass

Vulnerabilities

WordPress
Plugins
Themes
Our Stats
Submit vulnerabilities

About

How it works
Pricing
WordPress plugin
Blog
Contact

For Developers

Status
API details
CLI scanner

Other

Privacy
Terms of service
Submission terms
Disclosure policy
Privacy Notice for California Users

In partnership with Jetpack

GitHub
Twitter
Facebook

An

endeavor

Subscribe Subscribed
- WPScan
- Already have a WordPress.com account? Log in now.