[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fp7BY8veLnvHKADWMJKlFj3qtlIZboM5QiF2EpIe6Qio":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2025-13973","stickeasy-protected-contact-form-unauthenticated-information-disclosure","StickEasy Protected Contact Form \u003C= 1.0.1 - Unauthenticated Information Disclosure","The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.","stickeasy-protected-contact-form",null,"\u003C=1.0.1","1.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-02-13 14:25:27","2026-02-14 03:25:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F86edc116-054f-4962-a57c-0ce7e1b8ff8c?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-13973\n\n## 1. Vulnerability Summary\nThe **StickEasy Protected Contact Form** plugin (versions \u003C= 1.0.1) suffers from an unauthenticated sensitive information disclosure vulnerability. The plugin implements a spam detection mechanism that logs details of flagged submissions to a static text file: `wp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt`. Because this file is stored within the public `uploads` directory without restrictive access controls (like an `.htaccess` file or an empty `index.php`), any unauthenticated user can predict the URL and download the log, exposing visitor IP addresses, email addresses, and form content.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt`\n*   **Method:** HTTP GET\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** \n    1. The plugin must have processed at least one submission that was flagged as \"spam\".\n    2. The directory `wp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002F` must have been created (typically happens upon the first spam event).\n\n## 3. Code Flow (Inferred)\nSince source files are not provided, the following flow is inferred from the vulnerability description and common WordPress plugin patterns:\n\n1.  **Form Submission:** A user submits a contact form (likely via a `wp_ajax_nopriv_` handler or a `POST` request to a page containing the plugin's shortcode).\n2.  **Spam Detection:** The plugin runs a check (e.g., honeypot, timing, or content filtering). \n3.  **Logging Sink:** If the check fails (spam detected), the plugin calls a logging function.\n    *   It likely uses `wp_upload_dir()` to find the path.\n    *   It writes data to `spcf-log.txt` using `file_put_contents($file, $data, FILE_APPEND)`.\n    *   The data includes `$_SERVER['REMOTE_ADDR']`, the email field, and the message snippet.\n4.  **Exposure:** The file is saved with default permissions in a web-accessible directory.\n\n## 4. Nonce Acquisition Strategy\nReading the sensitive log file requires **no nonce**, as it is a direct request to a static file served by the webserver (Nginx\u002FApache).\n\nHowever, to **generate** test data (triggering the log entry), a nonce might be required for the form submission.\n1.  **Identify Shortcode:** Search for `add_shortcode` in the plugin directory to find the form's tag (likely `[stickeasy-contact-form]` or similar).\n2.  **Identify Nonce Key:** Look for `wp_create_nonce` or `wp_localize_script` in the plugin code to see if the form uses a CSRF token.\n3.  **Strategy:** \n    *   Use `wp-cli` to create a page with the discovered shortcode.\n    *   Navigate to the page using `browser_navigate`.\n    *   Extract any nonce using `browser_eval`.\n    *   Submit the form via `http_request` or `browser_click`.\n\n## 5. Exploitation Strategy\n1.  **Discovery:** Confirm the plugin is active and determine the exact shortcode by grepping the source: `grep -r \"add_shortcode\" .`\n2.  **Environment Setup:** Create a post\u002Fpage containing the form.\n3.  **Trigger Logging:** \n    *   Analyze the spam detection logic (e.g., search for \"honeypot\" or \"hidden\" fields).\n    *   Submit a form entry that intentionally triggers the spam filter (e.g., filling out a hidden honeypot field or submitting too quickly).\n4.  **Information Retrieval:** Perform a GET request to the log file location.\n\n### Expected HTTP Request (Data Retrieval)\n```http\nGET \u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt HTTP\u002F1.1\nHost: localhost\nConnection: close\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `stickeasy-protected-contact-form` version 1.0.1 is installed.\n2.  **Create Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Contact Us\" --post_status=publish --post_content='[stickeasy-contact-form]'\n    ```\n    *(Note: Replace `[stickeasy-contact-form]` with the actual shortcode found in the code.)*\n3.  **Identify Spam Trigger:**\n    *   Grep the code for the logging logic: `grep -r \"spcf-log.txt\" .`\n    *   Identify what causes the plugin to write to this file (e.g., if a field named `spcf_honeypot` is not empty).\n\n## 7. Expected Results\n*   **Successful Trigger:** The plugin creates the directory and file in `wp-content\u002Fuploads\u002F`.\n*   **Successful Disclosure:** The HTTP GET request returns a `200 OK` with a response body containing plain text logs, for example:\n    ```\n    [2023-10-27 10:00:00] SPAM Detected - IP: 192.168.1.1, Email: victim@example.com, Message: \"Check out this link...\"\n    ```\n\n## 8. Verification Steps\n1.  **Check Filesystem via CLI:**\n    ```bash\n    ls -l \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt\n    ```\n2.  **Verify Content:**\n    ```bash\n    cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt\n    ```\n3.  **Confirm Accessibility:** Check the HTTP response status of the direct URL.\n\n## 9. Alternative Approaches\nIf the plugin uses an obscure spam detection method:\n*   **Analysis:** Look for `is_spam` or `check_spam` functions in the code.\n*   **Brute Force:** If the trigger is just \"high frequency\", use a loop to submit multiple requests quickly to see if the log populates.\n*   **Direct Path Check:** If the uploads directory is protected by a generic `.htaccess` (unlikely in default WP), try to see if the plugin provides an admin setting to view logs, which might have its own IDOR or access control flaw.","The StickEasy Protected Contact Form plugin for WordPress (versions up to 1.0.1) stores spam detection logs in a publicly accessible text file within the WordPress uploads directory. This allows unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and form submission content.","The exploit involves two main steps: first, triggering the creation or update of the log file by submitting a contact form entry that fails the plugin's spam detection logic (such as filling out a hidden honeypot field). Second, an unauthenticated attacker performs a direct HTTP GET request to the predictable file path: `http:\u002F\u002F[target-site]\u002Fwp-content\u002Fuploads\u002Fstickeasy-protected-contact-form\u002Fspcf-log.txt`. If successful, the server returns the plain-text log containing PII of previous site visitors.","gemini-3-flash-preview","2026-04-20 23:48:36","2026-04-20 23:49:13",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","1.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstickeasy-protected-contact-form\u002Ftags\u002F1.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstickeasy-protected-contact-form.1.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstickeasy-protected-contact-form\u002Ftags\u002F1.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstickeasy-protected-contact-form.1.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstickeasy-protected-contact-form\u002Ftags"]