WordPress Plugin Vulnerabilities

Contact Form by WD <= 1.13.4 - Cross-Site Request Forgery to LFI

Description

Plugin Contact Form by WD suffers from CSRF issues that could lead to an LFI attack.

Affects Plugins

Plugin icon
contact-form-maker
Fixed in 1.13.5

References

CVE
CVE-2019-11591
URL
https://packetstormsecurity.com/files/#152399/
URL
https://pvagenas.com/vulnerabilities/contact-form-by-wd-csrf/
URL
https://plugins.trac.wordpress.org/changeset/2063502/contact-form-maker
URL
https://seclists.org/fulldisclosure/2019/Apr/11

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
p4n
Submitter website
https://pvagenas.com
Submitter twitter
panVagenas
Verified
No
WPVDB ID
e884a492-234f-4f0c-8049-eeb7272e89d6

Timeline

Publicly Published
2019-04-05 (about 7 years ago)
Added
2019-04-10 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-10-14
Title
Social Auto Poster < 5.3.16 - Cross-Site Request Forgery
Published
2024-03-12
Title
Easy Social Feed < 6.5.5 - Cross-Site Request Forgery
Published
2014-08-01
Title
Cool Video Gallery 1.8 - admin/video-sitemap.php XML Video Sitemap Generation CSRF
Published
2025-12-01
Title
Photo Gallery by Ays < 6.4.9 - Cross-Site Request Forgery to Bulk Actions
Published
2025-01-16
Title
GDReseller <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting