CVE-2022-0591
📋 TL;DR
This vulnerability in the FormCraft WordPress plugin allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks. Attackers can exploit the unvalidated URL parameter in the formcraft3_get AJAX action to make the server send requests to internal systems. Any WordPress site running vulnerable versions of FormCraft is affected.
💻 Affected Systems
- FormCraft WordPress Plugin
📦 What is this software?
Formcraft3 by Subtlewebinc
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data from internal networks, or pivot to attack other internal systems.
Likely Case
Attackers scan internal networks, access metadata services, or interact with internal APIs to gather information.
If Mitigated
Limited to external resource interaction if proper network segmentation and egress filtering are in place.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.28
Vendor Advisory: https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find FormCraft plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.8.28+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable formcraft3_get AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_nopriv_formcraft3_get', 'formcraft3_get'); remove_action('wp_ajax_formcraft3_get', 'formcraft3_get');
Temporary plugin deactivation
linuxDisable FormCraft plugin until patched
wp plugin deactivate formcraft-form-builder
🧯 If You Can't Patch
- Implement strict egress filtering to block outbound requests from web servers to internal networks.
- Deploy web application firewall rules to block requests containing suspicious URL parameters to formcraft3_get endpoint.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > FormCraft version. If version is below 3.8.28, system is vulnerable.Check Version:
wp plugin get formcraft-form-builder --field=versionVerify Fix Applied:
Confirm FormCraft plugin version is 3.8.28 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action=formcraft3_get and url parameter
- Unusual outbound connections from web server to internal IP ranges
Network Indicators:
- Web server making unexpected HTTP requests to internal services or unusual external domains
SIEM Query:
source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=formcraft3_get" AND query="url="