The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
WP Contact Form 7 DB Handler plugin versions up to 3.0 are vulnerable to CSRF-enabled SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization. An attacker can trick administrators into deleting arbitrary files through a crafted CSRF page.
تحتوي إضافة WP Contact Form 7 DB Handler على ثغرة CSRF مدمجة مع حقن SQL وإلغاء تسلسل كائنات PHP غير آمن. يمكن للمهاجم إنشاء صفحة CSRF تخدع مسؤول WordPress المسجل الدخول لحذف ملفات عشوائية من الخادم. الثغرة تنتج عن عدم التحقق من nonce بشكل صحيح واستخدام مدخلات المستخدم غير المعقمة في استعلامات SQL.
WP Contact Form 7 DB Handler plugin versions up to 3.0 are vulnerable to CSRF-enabled SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization. An attacker can trick administrators into deleting arbitrary files through a crafted CSRF page.
Update WP Contact Form 7 DB Handler plugin to version 3.1 or later immediately. Implement proper nonce verification in all administrative functions. Sanitize and parameterize all SQL queries using prepared statements. Disable PHP object deserialization or implement strict input validation. Review user permissions and restrict plugin access to trusted administrators only.
قم بتحديث إضافة WP Contact Form 7 DB Handler إلى الإصدار 3.1 أو أحدث فوراً. تطبيق التحقق الصحيح من nonce في جميع الوظائف الإدارية. تنظيف وتحديد معاملات جميع استعلامات SQL باستخدام الاستعلامات المحضرة. تعطيل إلغاء تسلسل كائنات PHP أو تطبيق التحقق الصارم من المدخلات. مراجعة أذونات المستخدمين وتقييد الوصول إلى الإضافة للمسؤولين الموثوقين فقط.