03 Apr

Cross-Site Request Forgery (CSRF)/Form Submission Deletion Vulnerability in Contact Form 7 Database

While looking over another vulnerability in the plugin Contact Form 7 Database we also noticed that it lacked protection against cross-site request forgery (CSRF) when deleting the form submissions that it stores.

The following code in the file /admin/table.php handles processing requests to delete form submissions:

129
130
131
132
133
134
135
136
137
138
// If the delete bulk action is triggered
if ((isset($_POST['action']) && $_POST['action'] == 'bulk-delete')
   || (isset($_POST['action2']) && $_POST['action2'] == 'bulk-delete')
) {
    $delete_ids = esc_sql($_POST['bulk-delete']);
 
// loop over the array of record IDs and delete them
foreach ($delete_ids as $id) {
    $this->delete_entry($id);
}

The code doesn’t check for a valid nonce, which is used to prevent CSRF.

Proof of Concept

The following proof of concept will delete the form submissions with the ID 1 and 2, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cf7-data&action=-1&cf7d-export=-1&del_id%5B%5D=1&del_id%5B%5D=2&action2=delete&btn_apply2=Apply

Timeline

  • March 27, 2017 – Developer notified.
  • April 3, 2017 – WordPress.org Plugin Directory notified.
  • April 3, 2017 – Plugin removed from WordPress.org Plugin Directory.
  • April 4, 2017 – Version 1.2 submitted to WordPress.org Plugin Directory’s Subversion repository, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *