Published:2019/02/26 Last Updated:2019/02/26
JVN#83501605
WordPress plugin "FormCraft" vulnerable to cross-site request forgery
Overview
The WordPress plugin "FormCraft" contains a cross-site request forgery vulnerability.
Products Affected
- FormCraft 1.2.1 and earlier
Description
The WordPress plugin "FormCraft" provided by nCrafts contains a cross-site request forgery vulnerability (CWE-352).
Impact
Unintended operations may be performed if a user logs into the WordPress administration screen and browses a malicious page.
Those operations may include generating new forms, inserting JavaScript code to existing forms, and deleting existing forms.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| nCrafts | WordPress Plugins - FormCraft - Changelog |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score:
4.3
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score:
2.6
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Masaki Saito of TDU Cryptography Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-5920 |
| JVN iPedia |
JVNDB-2019-000011 |