CVE-2024-11038: Unauthenticated Arbitrary Shortcode Execution Vulnerability in WPB Popup for Contact Form 7 WordPress Plugin

The WPB Popup for Contact Form 7 is a popular WordPress plugin used to display a popup containing the contact form on button click events. It is known as "Showing The Contact Form 7 Popup on Button Click - CF7 Popup" and has a significant number of installations on WordPress websites. However, a critical vulnerability has been discovered in all versions up to and including version 1.7.5. This vulnerability, designated as CVE-2024-11038, allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to the compromise of the affected website.

Details of the Vulnerability

The vulnerability lies in the 'wpb_pcf_fire_contact_form' AJAX action, which is responsible for processing and displaying the popup containing the contact form. The plugin does not properly validate a value before running the 'do_shortcode' function, allowing attackers to execute arbitrary shortcodes.

The vulnerable code snippet is as follows

add_action( 'wp_ajax_nopriv_wpb_pcf_fire_contact_form', 'wpb_pcf_fire_contact_form' );
add_action( 'wp_ajax_wpb_pcf_fire_contact_form', 'wpb_pcf_fire_contact_form' );

function wpb_pcf_fire_contact_form() {
    if ( isset( $_POST['shortcode'] ) ) {
        echo do_shortcode( $_POST['shortcode'] );
    }
    wp_die();
}

As the code above indicates, the 'do_shortcode' function is executed without any proper validation of the value provided in the 'shortcode' parameter. Due to this, unauthenticated users can potentially exploit this vulnerability to execute any shortcode of their choice.

Exploitation

An attacker can craft a malicious request to exploit this vulnerability by sending an AJAX POST request with their desired shortcode as the parameter.

The following is an example of a crafted request using cURL

curl -X POST "https://example.com/wp-admin/admin-ajax.php"; \
     -d "action=wpb_pcf_fire_contact_form&shortcode=[malicious_shortcode]"

Replace "example.com" with the target website and "malicious_shortcode" with the desired shortcode to be executed.

Mitigation

The developers of the WPB Popup for Contact Form 7 plugin have released a patch for this vulnerability in version 1.7.6. It is highly recommended for users of the plugin to update to the latest version as soon as possible to mitigate the risk of exploitation.

You can download the latest version of the plugin from the official WordPress plugin repository: WPB Popup for Contact Form 7

Original References

1. WPB Popup for Contact Form 7 Plugin Page: https://wordpress.org/plugins/wpb-popup-for-contact-form-7/
2. CVE-2024-11038 NVD Listing: https://nvd.nist.gov/vuln/detail/CVE-2024-11038

Conclusion

The WPB Popup for Contact Form 7 plugin for WordPress is prone to an unauthenticated arbitrary shortcode execution vulnerability due to the improper validation of user input. The vulnerability, known as CVE-2024-11038, affects all versions up to and including 1.7.5. Users running these vulnerable versions should immediately update to the latest version (1.7.6 or later) to protect their websites from potential attacks.

Timeline

Published on: 11/19/2024 11:15:05 UTC
Last modified on: 11/19/2024 21:57:32 UTC