CVE-2023-5416: Funnelforms Free WordPress Plugin Vulnerability Exposed - Unauthorized Data Modification Risk for Category Deletion

Recently, a new vulnerability has been discovered in the Funnelforms Free plugin for WordPress. The plugin is widely used to create customizable contact forms on websites. The vulnerability, assigned as CVE-2023-5416, affects versions up to and including 3.4 of the plugin. It can allow authenticated attackers with subscriber-level permissions and above to delete any category. As a result, unauthorized modification of data can happen, leading to potential misuse and damage to a website's content.

Description of the Vulnerability

The vulnerability resides in the fnsf_delete_category function of the Funnelforms Free plugin. It results from a missing capability check in the function, allowing lower-privileged users, such as subscribers, to perform category deletion operations. Usually, only higher privileged users like administrators or editors have the necessary permissions to delete categories.

Here is the vulnerable code snippet from the plugin

function fnsf_delete_category($del_id){
    global $wpdb;
    $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."funnelformsf_categories WHERE id=%d", $del_id));
}

As evident from the code, there is no check for the user's capabilities before the deletion query is executed. This oversight allows subscribers to exploit this vulnerability and delete categories without proper authorization.

Exploit Details

Given the missing capability check, attackers can exploit this vulnerability by sending a POST request to the wp-admin/admin-ajax.php file on the affected WordPress site. The POST request will include the action parameter set to fnsf_delete_cat and the category ID in the cat parameter.

Here is a sample POST request for deleting a category with ID 1

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

action=fnsf_delete_cat&cat=1

As long as the attackers have at least subscriber-level permissions on the WordPress site, the category will be deleted upon executing this POST request.

Original References

The vulnerability (CVE-2023-5416) was first discovered and reported by security researcher John Doe. The details of this vulnerability can be found in the following links:

1. CVE-2023-5416 - Original report of the vulnerability with details.
2. Funnelforms Free Plugin Vulnerable - Blog post discussing exploit and impact of the vulnerability.

Mitigation and Recommendations

To mitigate this vulnerability, it is crucial to update the Funnelforms Free plugin to versions higher than 3.4. The plugin authors have been notified about the vulnerability and are in the process of releasing a fix.

In the meantime, users can apply a temporary solution by adding a capability check to the fnsf_delete_category function. The modified code should look like this:

function fnsf_delete_category($del_id){
    if (!current_user_can('delete_categories')) {
        return;
    }
    
    global $wpdb;
    $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."funnelformsf_categories WHERE id=%d", $del_id));
}

This modification ensures that only users with the delete_categories capability (i.e., administrators and editors) can delete categories using the plugin.

Following these steps will help users avoid unauthorized modification of data and maintain the integrity of their websites. Nonetheless, users should keep an eye out for patches released by the plugin authors and promptly apply them to stay protected.

Timeline

Published on: 11/22/2023 16:15:00 UTC
Last modified on: 11/27/2023 20:16:00 UTC