Just yesterday we were discussing the problematic behavior of WordPress Support Forum moderators deleting discussions related to a vulnerabilities in plugins. What is of most concern with that is that they often do that while not making sure anything is done about getting the vulnerability fixed, which leaves websites vulnerable in instances where they shouldn’t be. Another reason that is problematic is that information on vulnerabilities can be helpful in finding other security issues in the same plugin or other  plugins.

Along those lines while writing up a post with the details of several vulnerabilities that had been fixed the other day in the plugin Contact Form Email we noticed a fairly serious issue still in the plugin. It turns out that anyone can download all of the contact form submissions made through the plugin. According to wordpress.org this plugin has 30,000+ active installations.

The vulnerability occurs because the plugin very insecurely handles running a lot of functions. The plugin’s function data_management() runs during init, which occurs after WordPress “has finished loading but before any headers are sent”:

63

add_action( 'init', array($cp_cfte_plugin, 'data_management'));

One of those functions that can be run through that is export_csv():

569
570
571
572
573

if ($this->get_param($this->prefix.'_csv') && is_admin() )
{
	$this->export_csv();
	return;
}

The function is_admin() used there check if admin page is being requested, not if someone is an Administrator-level user.

The only restriction in the export_csv() for doing is export is again a check to is_admin();

961
962
963
964

function export_csv ()
{
	if (!is_admin())
		return;

So without even being logged in to WordPress if someone accesses the URL to export one the contact form submissions they get a download of all of them all of them for the specified contact form. That has been the case since the first version of the plugin was released, over five and half years ago.

What seems like is important to note here, considering the advice you can find out there that claims to point to things that indicate a plugin is secure or not, not only is the plugin fundamentally insecure while being fairly popular, but it also check a number of boxes we have seen claimed to indicate that a plugin is secure:

• Developed by a company
• Monetized
• Longtime developer (wordpress.org list them as being a member since June of 2012)
• Developer of multiple plugins (25 in total)

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

The following proof of concept will download the saved submissions for the contact form with ID 1.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cp_contactformtoemail&cal=1&list=1&search=&dfrom=&tfrom=&dto=&tto=&cal=1&cp_contactformtoemail_csv=Export+to+CSV

Concerned About The Security of the Plugins You Use?