Local File Inclusion vulnerability in Form Maker By WD (Pro) <= 1.12.18

We found a local file inclusion vulnerability in Form Maker By WD plugin (Pro version). A free version has over 100,000+ active installs.

Details about the vulnerability:

A form_maker_ajax_frontend function is hooked to AJAX actions such as: wp_ajax_nopriv_get_frontend_stats, wp_ajax_nopriv_frontend_show_map, wp_ajax_nopriv_frontend_generate_csv. The problem with this function is that it gets the name of the file to include from HTTP GET variable, then includes that page. You can include a PHP file from any directory.

The vulnerability was fixed in 1.12.18 version after reporting it to the author.

Authenticated Arbitrary File Deletion Vulnerability in Simple Contact Info plugin <= v1.1.9

Recently we discovered authenticated arbitrary file deletion vulnerability in Simple Contact Info plugin. The plugin has 6000+ active installs according to wordpress.org, but it has not been updated in 3 years.

In inc/contat-ajax.php, The code in sci_ajax_delete_icon_callback function doesn’t check for a valid nonce, user role and file path.

After reporting to wordpress.org plugin repository admins, they have closed the plugin.

Missing Function Level Access Control Vulnerability in Email Subscribers & Newsletters plugin <= v3.4.7

Email Subscribers & Newsletters plugin which has over 100,000+ active installs according to wordpress.org, has Missing Function Level Access Control vulnerability. The vulnerability allows an attacker to download the entire list of website subscribers with names and e-mail addresses. The vulnerability has been fixed in v3.4.8.


In /classes/es-directly.php

The function es_plugin_parse_request is hooked to parse_request action. This variable $page = $qstring->query_vars[‘es’]; allows us to require (include) the export file by adding /?es=export at the end of a URL.

The problem is in export/export-email-address.php . This file is not properly secured:

If we send an HTTP POST request to a URI with /?es=export and add option=view_all_subscribers in the body, then we’ll be able to download a CSV file with the following data: names, emails and register date.