Exploitation Research Plan: CVE-2025-13973

1. Vulnerability Summary

The StickEasy Protected Contact Form plugin (versions <= 1.0.1) suffers from an unauthenticated sensitive information disclosure vulnerability. The plugin implements a spam detection mechanism that logs details of flagged submissions to a static text file: wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt. Because this file is stored within the public uploads directory without restrictive access controls (like an .htaccess file or an empty index.php), any unauthenticated user can predict the URL and download the log, exposing visitor IP addresses, email addresses, and form content.

2. Attack Vector Analysis

• Target Endpoint: http://<target>/wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt
• Method: HTTP GET
• Authentication: None (Unauthenticated)
• Preconditions:
  1. The plugin must have processed at least one submission that was flagged as "spam".
  2. The directory wp-content/uploads/stickeasy-protected-contact-form/ must have been created (typically happens upon the first spam event).

3. Code Flow (Inferred)

Since source files are not provided, the following flow is inferred from the vulnerability description and common WordPress plugin patterns:

1. Form Submission: A user submits a contact form (likely via a wp_ajax_nopriv_ handler or a POST request to a page containing the plugin's shortcode).
2. Spam Detection: The plugin runs a check (e.g., honeypot, timing, or content filtering).
3. Logging Sink: If the check fails (spam detected), the plugin calls a logging function.
   • It likely uses wp_upload_dir() to find the path.
   • It writes data to spcf-log.txt using file_put_contents($file, $data, FILE_APPEND).
   • The data includes $_SERVER['REMOTE_ADDR'], the email field, and the message snippet.
4. Exposure: The file is saved with default permissions in a web-accessible directory.

4. Nonce Acquisition Strategy

Reading the sensitive log file requires no nonce, as it is a direct request to a static file served by the webserver (Nginx/Apache).

However, to generate test data (triggering the log entry), a nonce might be required for the form submission.

1. Identify Shortcode: Search for add_shortcode in the plugin directory to find the form's tag (likely [stickeasy-contact-form] or similar).
2. Identify Nonce Key: Look for wp_create_nonce or wp_localize_script in the plugin code to see if the form uses a CSRF token.
3. Strategy:
   • Use wp-cli to create a page with the discovered shortcode.
   • Navigate to the page using browser_navigate.
   • Extract any nonce using browser_eval.
   • Submit the form via http_request or browser_click.

5. Exploitation Strategy

1. Discovery: Confirm the plugin is active and determine the exact shortcode by grepping the source: grep -r "add_shortcode" .
2. Environment Setup: Create a post/page containing the form.
3. Trigger Logging:
   • Analyze the spam detection logic (e.g., search for "honeypot" or "hidden" fields).
   • Submit a form entry that intentionally triggers the spam filter (e.g., filling out a hidden honeypot field or submitting too quickly).
4. Information Retrieval: Perform a GET request to the log file location.

Expected HTTP Request (Data Retrieval)

GET /wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt HTTP/1.1
Host: localhost
Connection: close

6. Test Data Setup

1. Install Plugin: Ensure stickeasy-protected-contact-form version 1.0.1 is installed.
2. Create Page:

   wp post create --post_type=page --post_title="Contact Us" --post_status=publish --post_content='[stickeasy-contact-form]'
   

   (Note: Replace [stickeasy-contact-form] with the actual shortcode found in the code.)
3. Identify Spam Trigger:
   • Grep the code for the logging logic: grep -r "spcf-log.txt" .
   • Identify what causes the plugin to write to this file (e.g., if a field named spcf_honeypot is not empty).

7. Expected Results

• Successful Trigger: The plugin creates the directory and file in wp-content/uploads/.
• Successful Disclosure: The HTTP GET request returns a 200 OK with a response body containing plain text logs, for example:

  [2023-10-27 10:00:00] SPAM Detected - IP: 192.168.1.1, Email: victim@example.com, Message: "Check out this link..."
  

8. Verification Steps

1. Check Filesystem via CLI:

   ls -l /var/www/html/wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt
   

2. Verify Content:

   cat /var/www/html/wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt
   

3. Confirm Accessibility: Check the HTTP response status of the direct URL.

9. Alternative Approaches

If the plugin uses an obscure spam detection method:

• Analysis: Look for is_spam or check_spam functions in the code.
• Brute Force: If the trigger is just "high frequency", use a loop to submit multiple requests quickly to see if the log populates.
• Direct Path Check: If the uploads directory is protected by a generic .htaccess (unlikely in default WP), try to see if the plugin provides an admin setting to view logs, which might have its own IDOR or access control flaw.