CVE-2024-4261

Vulnerability

The Responsive Contact Form Builder & Lead Generation Plugin (lead-form-builder) for WordPress is vulnerable to arbitrary shortcode execution in all versions up to and including 1.9.1. The vulnerability resides in the lead_form_builder method within /trunk/block/app.php [1]. The code runs do_shortcode with user-supplied input after minimal sanitization (absint on $formid), but does not validate or restrict the shortcode tags that can be executed. The do_shortcode call is triggered when the current_user_can('manage_options') and current_user_can('edit_posts') checks pass, which are accessible to subscribers and above due to WordPress's default capability mapping. The plugin allows authenticated users to send a POST request with a data parameter containing a form ID that is then passed into do_shortcode('[lead-form form-id=' . esc_attr($formid) . ']'). However, the shortcode parsing is not limited to the [lead-form] tag; an attacker can inject arbitrary shortcodes because the plugin's logic does not escape or restrict the output of do_shortcode [1].

Exploitation

An attacker needs a valid WordPress user account with at least subscriber-level access. They can craft a POST request to the lead_form_builder AJAX action, sending a nonce and a data parameter containing a crafted form ID that, when processed, triggers arbitrary shortcode execution. For example, by manipulating the $formid value to include or leverage WordPress core shortcodes like [file] or any other registered shortcode that can read or write sensitive data. The do_shortcode function processes the entire string including the injected shortcode tags. The attacker does not need direct write access to posts; the shortcode execution happens server-side during the AJAX call. The attacker must also include a valid nonce (lfb_nonce_action) in the request, which can be obtained from the WordPress admin page where the block is rendered [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary shortcodes available in the WordPress installation. This can lead to information disclosure (e.g., reading private posts), data manipulation (e.g., updating user meta or options), or even file inclusion or remote code execution if the site has shortcodes from other plugins that provide such capabilities. The attacker's privilege level is limited to the subscriber role, but the impact can be escalated depending on the shortcodes available in the environment. The confidentiality, integrity, and availability of the site can be partially compromised.

Mitigation

The vendor has not released a fixed version as of the publication date (2024-05-22) for this CVE. The affected versions include up to and including 1.9.1. Users should disable the plugin if it is not essential, or apply the principle of least privilege by ensuring that subscriber accounts are not given unnecessary access. A temporary workaround is to implement a custom filter or code snippet that restricts the execution of dangerous shortcodes or validates the input before do_shortcode is called. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.