← back
CVE-2015-6965

CVE-2015-6965

EPSS 3.0%
Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a field, (3) delete a field, (4) create a form, (5) update a form, (6) delete a form, (7) create a template, (8) update a template, (9) delete a template, or (10) conduct cross-site scripting (XSS) attacks via a crafted request to the cfg_forms page in wp-admin/admin.php.
Affected products
n/a · n/a
public PoCs found3
cve_referencepacketstormsecurity.com/files/133463/WordPress-Contact-Form-Generator-2.0.1-CSRF.htmlunverifiedcve_referencewww.exploit-db.com/exploits/38086/unverifiedexploitdbwww.exploit-db.com/exploits/38086unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/133463/WordPress-Contact-Form-Generator-2.0.1-CSRF.htmlhttps://wpvulndb.com/vulnerabilities/8176https://www.exploit-db.com/exploits/38086/