CVE-2019-11590
Description
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
Affected products
1- Range: <1.13.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on `$_GET['action']` (and `$_REQUEST['page']` for frontend actions) allows directory traversal when the plugin dynamically loads a file based on that parameter."
Attack vector
An attacker can craft a POST request to `wp-admin/admin-ajax.php` with a legitimate AJAX action in the `$_POST['action']` field (e.g., `generete_csv`) and a directory-traversal payload in the `$_GET['action']` query string (e.g., `/../../../../../index`). Because WordPress uses `$_POST['action']` to route the AJAX hook but the plugin reads `$_GET['action']` to load a file, the unsanitized GET value leads to local file inclusion. For the PRO frontend actions (e.g., `get_frontend_stats`), the attack is directly exploitable without CSRF because those actions are available to unauthenticated users and the vulnerable parameter is `$_REQUEST['page']` [ref_id=1].
Affected code
The AJAX callback function `form_maker_ajax` dynamically loads a file based on the value of `$_GET['action']` (or `$_POST['action']` if the GET parameter is not set). No sanitization is performed on `$_GET['action']`, allowing directory traversal. The same vulnerability exists in the PRO-version callback `form_maker_ajax_frontend`, where the unsanitized parameter is `$_REQUEST['page']` [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor resolved the issue in version 1.13.5. The fix presumably sanitizes or validates the `$_GET['action']` and `$_REQUEST['page']` parameters before using them to load a file, preventing directory traversal. No further remediation details are provided in the disclosure [ref_id=1].
Preconditions
- configThe Form Maker plugin (version < 1.13.5) must be installed and active on a WordPress site.
- authFor the CSRF variant, a logged-in administrator must be tricked into submitting the crafted form.
- authFor the direct-exploit variant (PRO frontend actions), no authentication is required.
- networkThe attacker must be able to send HTTP requests to the WordPress admin-ajax.php endpoint.
- inputThe attacker supplies a directory-traversal payload in the GET action parameter (or REQUEST page parameter for frontend actions).
Reproduction
**CSRF variant:** Create an HTML form that POSTs to `http://target/wp-admin/admin-ajax.php?action=/../../../../../index` with a hidden or selected `action` parameter (e.g., `generete_csv`). When a logged-in admin submits the form, the plugin loads the file at the traversed path. **Direct variant (unauthenticated):** Run `curl 'http://target/wp-admin/admin-ajax.php' -d 'action=get_frontend_stats&page=/../../../../../index'` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- seclists.org/fulldisclosure/2019/Apr/36mitrex_refsource_MISC
- lists.openwall.net/full-disclosure/2019/04/05/11mitrex_refsource_MISC
- wordpress.org/plugins/form-maker/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.