CVE-2019-25734

Vulnerability

Contact Form by WD version 1.13.1 contains a cross-site request forgery (CSRF) vulnerability that can be combined with local file inclusion (LFI). This vulnerability arises from unsanitized action parameters, allowing unauthenticated attackers to include arbitrary files on the server. The vulnerability is exploitable by targeting the admin-ajax.php endpoint with directory traversal sequences within the GET action parameter [2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious form. The attacker would target the admin-ajax.php endpoint and use directory traversal sequences within the action parameter to include arbitrary files. This bypasses authentication checks on vulnerable AJAX actions, enabling the attacker to achieve file inclusion via CSRF [2].

Impact

Successful exploitation allows an unauthenticated attacker to include arbitrary files from the server. This can lead to information disclosure or potentially further compromise depending on the files that can be included and the server's configuration. The scope of the compromise is limited to the privileges of the web server process [2].

Mitigation

The plugin 'Contact Form by WD' was closed as of June 15, 2023, and is no longer available for download due to an author request [1]. No specific patch information or fixed version is available. Users should remove the plugin if possible. Web-Dorado has evolved into 10Web, and users with active licenses should log in to access downloads via the new platform [3].