CVE-2019-25734

Contact Form by WD 1.13.1 CSRF to Local File Inclusion

CVSS 5.1 MEDIUMEPSS 0.9%CWE-22

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Productos afectados

Web-Dorado · Contact Form Maker

PoCs públicas encontradas — 1

cve_referencewww.exploit-db.com/exploits/46661no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wordpress.org/plugins/contact-form-maker https://www.exploit-db.com/exploits/46661 https://www.vulncheck.com/advisories/contact-form-by-wd-csrf-to-local-file-inclusion http://web-dorado.com/