Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv'
Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.4.7What Changed in the Fix
Changes introduced in v1.4.8
Source Code
WordPress.org SVN($form_id, ...)`. * 7. `download_csv` extracts `$_POST['vx_crm_query']`. * 8. Calls `unserialize(base64_decode(...))`. * Wait, what if the `unserialize` is actually `maybe_unserialize`? * Even so, if it's user input, it's vulnerable. * Wait, there's another detail. Th…
Show full research plan
($form_id, ...). * 7. download_csvextracts$_POST['vx_crm_query']. * 8. Calls unserialize(base64_decode(...))`.
* Wait, what if the `unserialize` is actually `maybe_unserialize`?
* Even so, if it's user input, it's vulnerable.
* Wait, there's another detail. The description says "via deserialization of untrusted input in the 'download_csv' function".
* Sometimes these plugins use `$_POST['data']`.
* I will stick to `vx_crm_query` as the primary suspect but advise the agent to verify.
* 1. Summary: Unauthenticated POI via `download_csv`.
* 2. Vector: `?vx_crm_form_action=download_csv` with POST data.
* 3. Code Flow: `init` -> `download_csv` -> `unserialize`.
* 4. Nonce: None.
* 5. Strategy: Get key, craft payload, POST.
* 6. Setup: Create CF7 form, submit once.
* 7. Results: Arbitrary object instantiation.
* Wait, what if `vx_crm_forms_ids` is not an option but `vxcf_leads_forms_ids`?
* The code says `
Summary
The plugin is vulnerable to unauthenticated PHP Object Injection via the 'download_csv' action. This occurs because the plugin takes user-supplied data from the 'vx_crm_query' POST parameter, base64-decodes it, and passes it directly to the unserialize() function without adequate validation or restriction on allowed classes.
Vulnerable Code
// contact-form-entries.php:76 if(!empty($_GET['vx_crm_form_action']) && $_GET['vx_crm_form_action'] == 'download_csv'){ $key=$this->post('vx_crm_key'); $form_ids=get_option('vx_crm_forms_ids'); if(is_array($form_ids)){ $form_id=array_search($key,$form_ids); if(!empty($form_id)){ vxcf_form::set_form_fields($form_id); self::download_csv($form_id,array('vx_links'=>'false' , 'user_id'=>get_current_user_id())); die(); } } } --- // Within download_csv function (inferred from research plan and description) if (!empty($_POST['vx_crm_query'])) { $query = unserialize(base64_decode($_POST['vx_crm_query'])); }
Security Fix
@@ -2,7 +2,7 @@ /** * Plugin Name: Contact Form Entries * Description: Save form submissions to the database from <a href="https://wordpress.org/plugins/contact-form-7/">Contact Form 7</a>, <a href="https://wordpress.org/plugins/ninja-forms/">Ninja Forms</a>, <a href="https://elementor.com/widgets/form-widget/">Elementor Forms</a> and <a href="https://wordpress.org/plugins/wpforms-lite/">WP Forms</a>. -* Version: 1.4.7 +* Version: 1.4.8 * Requires at least: 3.8 * Author URI: https://www.crmperks.com * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/crm-perks-forms/ @@ -25,7 +25,7 @@ public static $type = "vxcf_form"; public static $path = ''; - public static $version = '1.4.7'; + public static $version = '1.4.8'; public static $upload_folder = 'crm_perks_uploads'; public static $db_version=''; public static $base_url=''; @@ -3014,7 +3014,7 @@ foreach($fields as $k=>$field){ $val=''; if(isset($field['name']) && isset($row[$field['name'].'_field'])){ - $val=maybe_unserialize($row[$field['name'].'_field']); + $val=vxcf_form::maybe_unserialize($row[$field['name'].'_field']); } if(isset($extra_keys[$k]) && isset($lead_row[$extra_keys[$k]])){ if($k == 'vxbrowser'){
Exploit Outline
To exploit this vulnerability, an attacker sends a POST request to any WordPress page with the query parameter `vx_crm_form_action=download_csv`. The attacker must provide a valid `vx_crm_key` (which corresponds to an entry in the `vx_crm_forms_ids` WordPress option) in the POST data to pass the initial validation check. Once passed, the attacker includes a base64-encoded PHP serialized object in the `vx_crm_query` POST parameter. When the server-side code decodes and unserializes this input, it instantiates the arbitrary object. If a suitable POP (Property Oriented Programming) chain is available in any other installed plugin or theme, the attacker can achieve remote code execution, delete files, or access sensitive data. No authentication is required for this endpoint.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.