CVE-2021-4417 | THREATINT

Description

The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PUBLISHED Reserved 2023-07-11 | Published 2023-07-12 | Updated 2024-10-22 | Assigner Wordfence

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status

unaffected

* (semver) before 1.13.5

affected

Timeline

2021-03-01:

Disclosed

Credits

Jerome Bruandet finder

References

www.wordfence.com/...-b83b-4436-aebe-533f5af03ef1?source=cve

blog.nintechnet.com/...s-plugins-vulnerable-to-csrf-attacks/

blog.nintechnet.com/...nd-themes-vulnerable-to-csrf-attacks/

blog.nintechnet.com/...ns-fixed-csrf-vulnerabilities-part-3/

blog.nintechnet.com/...ns-fixed-csrf-vulnerabilities-part-2/

blog.nintechnet.com/...ns-fixed-csrf-vulnerabilities-part-1/

blog.nintechnet.com/...ns-fixed-csrf-vulnerabilities-part-5/

blog.nintechnet.com/...ns-fixed-csrf-vulnerabilities-part-4/

plugins.trac.wordpress.org/...trunk/library/class-export.php

cve.org (CVE-2021-4417)

nvd.nist.gov (CVE-2021-4417)

Download JSON

help @ threatint.eu