Vulnerability identifier: #VU18334
Vulnerability risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-352
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Contact Form by WD – responsive drag & drop contact form builder tool
Web applications /
Modules and components for CMS
Vendor: WebDorado Form Builder Team
Description
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
The following AJAX actions are vulnerable:
manage_fm
get_stats
generete_csv
generete_xml
formmakerwdcaptcha
nopriv_formmakerwdcaptcha
formmakerwdmathcaptcha
nopriv_formmakerwdmathcaptcha
product_option
FormMakerEditCountryinPopup
FormMakerMapEditinPopup
FormMakerIpinfoinPopup
show_matrix
FormMakerSubmits
FormMakerSQLMapping
select_data_from_db
manage
only in the paid version:
paypal_info
checkpaypal
nopriv_checkpaypal
get_frontend_stats
nopriv_get_frontend_stats
frontend_show_map
nopriv_frontend_show_map
frontend_show_matrix
nopriv_frontend_show_matrix
frontend_paypal_info
nopriv_frontend_paypal_info
frontend_generate_csv
nopriv_frontend_generate_csv
frontend_generate_xml
nopriv_frontend_generate_xml
FMShortocde
wd_bp_dismiss
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Contact Form by WD – responsive drag & drop contact form builder tool: 1.5 - 1.13.4
External links
http://wpvulndb.com/vulnerabilities/9252/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.