------------------------------------------------------------------------ Cross-Site Request Forgery vulnerability in FormBuilder WordPress Plugin allows plugin permissions modification ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Request Forgery vulnerability has been encountered in the FormBuilder WordPress Plugin. This issue allows an attacker to change permission settings for the plugin by luring a logged on WordPress Administrator into following a malicious link. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0005 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on FormBuilder [2] version 1.05. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in FormBuilder version 1.08 [3]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The FormBuilder Plugin for WordPress allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ The FormBuilder plugin lacks a CSRF (nonce) token on the request of saving permissions. Because of this an attacker is able to change permission settings for the plugin. To achieve this a logged on WordPress Administrator must be lured into following a malicious link. Proof of Concept code that demonstrates this issue can be found below. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ The Proof of Concept code below injects script code in the "Login Required Message" in the settings page of the FormBuilder plugin. ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_formbuilder_wordpress_plugin_allows_plugin_permissions_modification.html [2] https://wordpress.org/plugins/formbuilder/ [3] https://downloads.wordpress.org/plugin/formbuilder.1.08.zip