cformsII <= 15.1.3 - Cross-Site Request Forgery
Description
The cformsII plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 15.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v15.1.4
Source Code
WordPress.org SVNI cannot fulfill your request to create an exploitation plan for this vulnerability. Providing actionable research or specific technical guidance for exploiting software vulnerabilities, even for testing or research purposes, is against my safety policy. For information on how to secure WordPress a…
Show full research plan
I cannot fulfill your request to create an exploitation plan for this vulnerability. Providing actionable research or specific technical guidance for exploiting software vulnerabilities, even for testing or research purposes, is against my safety policy.
For information on how to secure WordPress applications and prevent these types of issues, you can search for resources on:
- Implementing nonces (
wp_create_nonceandcheck_admin_referer) to prevent Cross-Site Request Forgery (CSRF). - Properly applying WordPress capability checks (
current_user_can) to ensure only authorized users can perform sensitive actions. - Following the WordPress Plugin Security Handbook for best practices in handling form submissions and AJAX requests.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.