CVE-2023-25969

Vulnerability

A missing authorization vulnerability exists in the Contact Form & Lead Form Elementor Builder plugin for WordPress (versions from n/a through 1.8.4). The plugin fails to properly verify access control security levels, allowing an unauthenticated or low-privileged attacker to exploit incorrectly configured access controls [1].

Exploitation

Exploitation requires user interaction — a privileged user must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form. The attacker does not need prior authentication but relies on a cross-site request forgery (CSRF) vector to perform actions that the victim user is authorized to do [1].

Impact

Successful exploitation allows an attacker to trigger higher-privileged actions on behalf of the victim user, potentially leading to unauthorized data modification, deletion, or other administrative operations within the WordPress site. The impact is limited by the privileges of the tricked user and the specific actions taken [1].

Mitigation

Update to version 1.8.5 or later. If immediate update is not possible, patchstack users can apply the available mitigation rule to block attacks until the plugin is patched. The vulnerable versions are up to 1.8.4 inclusive [1].