Contact Form & SMTP Plugin for WordPress by PirateForms Arbitrary Shortcode Execution Vulnerability
Vulnerability
A vulnerability allowing arbitrary shortcode execution has been identified in the Contact Form & SMTP Plugin for WordPress by PirateForms, affecting all versions through 2.6.0. The issue arises because the plugin allows users to execute actions without proper validation, enabling unauthenticated attackers to run arbitrary shortcodes.
Impact
Exploitation of this vulnerability allows for arbitrary shortcode execution, which could be used to execute potentially harmful actions or scripts within the WordPress environment.
Reproduction
The vulnerability can be reproduced by sending a request to the WordPress site with the 'pirate_forms' shortcode, including any desired parameters. The absence of proper validation allows the execution of arbitrary shortcodes, which could be used to manipulate the site or execute malicious actions.
Remediation
Users are advised to update the plugin to version 2.6.1 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.