A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the WordPress Contact Form With Captcha plugin. This vulnerability could allow a malicious actor to force higher-privileged users to execute unwanted actions under their current authentication.
This vulnerability was discovered and reported by LEE SE HYOUNG (hackintoanetwork).
The vulnerability is caused by a lack of CSRF protection in the plugin’s code. This allows an attacker to craft a malicious request that, when sent to a logged-in user, will cause the user to perform an unwanted action.
The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high severity. This means that the vulnerability is moderately likely to be exploited and could have a significant impact on the affected system.
All versions of the WordPress Contact Form With Captcha plugin are affected by this vulnerability.
The ramifications of a Cross Site Request Forgery (CSRF) vulnerability are severe:
- Unauthorized Actions: Attackers can force logged-in users, especially those with higher privileges, to execute actions they did not intend to perform.
- Data Manipulation: This vulnerability can lead to data manipulation, content modification, and unauthorized changes to the website.
- User Safety: CSRF attacks can compromise user data, affect user experience, and potentially damage your website’s reputation.
There is currently no patched version of the WordPress Contact Form With Captcha plugin available. To mitigate the risk of exploitation, it is recommended that you disable the plugin until a patched version is released.
Given the gravity of this security concern, strongly recommend taking the following steps:
- Temporary Deactivation: Since no patched version is available, consider temporarily deactivating the Contact Form With Captcha Plugin to minimize the vulnerability.
- Regular Security Audits: Engage in routine security audits to proactively identify and address vulnerabilities WordPress website.
- User Awareness: Educate users about safe online practices and caution them against clicking on unverified links or downloading suspicious files.
- Alternative Solutions: Investigate alternative plugins or solutions for your contact form requirements while this issue remains unresolved.
It is important to note that there is currently no patched version of the WordPress Contact Form With Captcha plugin available. Therefore, it is important to disable the plugin until a patched version is released.