CVE-2022-0591 The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter, which can be used to exploit SSRF issues.

The plugin does not sanitize the input from an attacker controlled server and therefore does not reject the request if it comes from an attacker controlled server. This can lead to SSRF attacks where unauthenticated attackers can post malicious content on your site. The plugin does not validate the request at all, which means that an attacker can send any kind of request they want through any proxy or if your server is compromised, and the plugin will simply execute it without checking if the request is valid. This can lead to many different types of attacks like posting a link to a malicious image that then infects all visitors to your site. What’s worse, the plugin is outdated and not being updated anymore, so the developers have no more time to fix it. This means that the plugin is not being patched, which means there is a high risk that the plugin will be exploited by attackers. To protect your site from this vulnerability, update to the latest version of FormCraft WordPress plugin as soon as possible.

WordPress Software Versions Affected by CVE-2022-0591

* SiteGround WordPress Hosting
WordPress version 4.9.4
WordPress version 4.8.1
WordPress version 4.7.5
WordPress version 4.6.2
WordPress version 4.5.1
WordPress version 3.9

Timeline

Published on: 03/21/2022 19:15:00 UTC
Last modified on: 03/28/2022 18:54:00 UTC

References