Cross-site request forgery in Contact Form by WD - responsive drag & drop contact form builder tool - #VU18334
Published: April 24, 2019
Vulnerability identifier: #VU18334
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: N/A
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: WebDorado Form Builder Team
Affected software:
Contact Form by WD - responsive drag & drop contact form builder tool
Contact Form by WD - responsive drag & drop contact form builder tool
Detailed vulnerability description
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
The following AJAX actions are vulnerable:
manage_fmget_statsgenerete_csvgenerete_xmlformmakerwdcaptchanopriv_formmakerwdcaptchaformmakerwdmathcaptchanopriv_formmakerwdmathcaptchaproduct_optionFormMakerEditCountryinPopupFormMakerMapEditinPopupFormMakerIpinfoinPopupshow_matrixFormMakerSubmitsFormMakerSQLMappingselect_data_from_dbmanage
The following AJAX actions are vulnerable
paypal_infocheckpaypalnopriv_checkpaypalget_frontend_statsnopriv_get_frontend_statsfrontend_show_mapnopriv_frontend_show_mapfrontend_show_matrixnopriv_frontend_show_matrixfrontend_paypal_infonopriv_frontend_paypal_infofrontend_generate_csvnopriv_frontend_generate_csvfrontend_generate_xmlnopriv_frontend_generate_xmlFMShortocdewd_bp_dismiss
Remediation
Install updates from vendor's website.