CVE CyberSecurity Database News

CVE-2023-45275 - Missing Authorization Vulnerability in Kali Forms Contact Form Builder with Drag & Drop. Exploiting Incorrectly Configured Access Control Security Levels

Poster -

Kali Forms is a popular WordPress plugin used to build contact forms through a simple drag-and-drop interface. A vulnerability, identified as CVE-2023-45275, has been discovered in versions up to and including 2.3.28, which allows attackers to exploit incorrectly configured access control security levels. This ultimately leads to unauthorized access to potentially sensitive data and functionality relating to contact forms.

In this post, we will provide details on the vulnerability, including a code snippet demonstrating the exploit, links to the original references, and suggestions on how to mitigate the issue.

Exploit Details

The vulnerability at the core of CVE-2023-45275 stems from missing authorization checks in the Kali Forms Contact Form Builder plugin. This allows attackers to perform sensitive actions, such as modifying existing forms, creating new forms, and deleting forms, without proper authorization. Unauthorized users can also view submissions and access data from forms that they should not have access to.

Code Snippet

The following code snippet demonstrates how to exploit this vulnerability. In this example, an attacker can send a specially crafted HTTP request to the target WordPress installation to create a new contact form:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target-wordpress-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: [LENGTH]

action=kali_forms_save_form&serialized_form=[MALICIOUS DATA]&form_grid=[GRID DATA]&form_title=[NEW FORM TITLE]&form_id=[NEW FORM ID]

Original References

The following resources provide more information and background on the CVE-2023-45275 vulnerability in Kali Forms Contact Form Builder:

1. Kali Forms Changelog
2. CVE-2023-45275 in Mitre's CVE List
3. Kali Forms Developer Documentation

Mitigation

To protect your website from potential exploitation of this vulnerability, consider the following steps:

1. Update the Kali Forms Contact Form Builder plugin to the latest version (2.3.29 or higher) immediately. The developers have addressed the vulnerability in these later versions, so updating should resolve the issue.
2. Review your user access controls and ensure that only trusted users have administrative privileges for your WordPress installation. Limiting admin access will reduce the potential impact of this vulnerability.
3. Regularly monitor your site for any unauthorized changes or suspicious activity. This can help you detect potential exploitation attempts and take action more quickly.

Conclusion

The CVE-2023-45275 vulnerability in Kali Forms Contact Form Builder is a serious issue that can allow unauthorized access to sensitive data and functionality on affected WordPress sites. It's crucial for website administrators to take immediate action by updating the plugin to the latest version and implementing proper access control measures.

Timeline

Published on: 01/02/2025 12:15:09 UTC