You are here

V-221: WordPress A Forms Plugin Cross-Site Request Forgery and Form Field Script Insertion Vulnerabilities

August 19, 2013 - 6:00am

Addthis

PROBLEM:

Two vulnerabilities have been reported in the A Forms plugin for WordPress

PLATFORM:

WordPress A Forms Plugin 1.x

ABSTRACT:

This vulnerability can be exploited to conduct cross-site request forgery and script insertion attacks.

REFERENCE LINKS:

Secunia Advisory SA54489
WordPress Advisory

IMPACT ASSESSMENT:

Medium

DISCUSSION:

1) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. submit certain forms when a logged-in user visits a specially crafted web page.

2) Input passed via form fields (when e.g. the "field type" is set to "text" or "textarea") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

IMPACT:

Cross Site Scripting

SOLUTION:

Vendor recommends updating to version 1.4.2

 

Addthis