Published:2019/02/28 Last Updated:2019/02/28
JVN#97656108
WordPress plugin "Smart Forms" vulnerable to cross-site request forgery
Overview
The WordPress plugin "Smart Forms" contains a cross-site request forgery vulnerability.
Products Affected
- Smart Forms 2.6.15 and earlier
Description
The WordPress plugin "Smart Forms" provided by RedNao contains a cross-site request forgery vulnerability (CWE-352).
Impact
Unintended operations may be performed if a user logs into the WordPress administration screen and browses a malicious page.
Those operations may include generating new forms, inserting JavaScript code to existing forms, and deleting existing forms.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| RedNao | WordPress Plugins - Smart Forms - Changelog |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score:
4.3
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score:
2.6
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Masaki Saito of TDU Cryptography Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-5924 |
| JVN iPedia |
JVNDB-2019-000016 |