CVE-2024-12184
📋 TL;DR
This vulnerability in the WordPress Contact Forms by Cimatti plugin allows unauthenticated attackers to download form submissions containing potentially sensitive user data. All WordPress sites using this plugin up to version 1.9.4 are affected. The issue stems from missing authorization checks in a file download function.
💻 Affected Systems
- WordPress Contact Forms by Cimatti plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers exfiltrate sensitive personal data (PII, financial information, credentials) from form submissions, leading to data breaches, regulatory fines, and reputational damage.
Likely Case
Attackers download form submissions containing names, email addresses, messages, and other user-provided data, potentially enabling phishing, spam, or harassment campaigns.
If Mitigated
With proper access controls and monitoring, unauthorized downloads are blocked and detected, limiting data exposure to minimal or no sensitive information.
🎯 Exploit Status
The vulnerability is simple to exploit via direct HTTP requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3232168/contact-forms
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Contact Forms by Cimatti' and click 'Update Now'. 4. Verify plugin version is 1.9.5 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Contact Forms by Cimatti plugin to prevent exploitation.
wp plugin deactivate contact-forms
Web application firewall rule
allBlock requests to the vulnerable accua_forms_download_submitted_file() endpoint.
Add WAF rule: Block URI path containing 'accua_forms_download_submitted_file'
🧯 If You Can't Patch
- Disable the Contact Forms by Cimatti plugin immediately.
- Implement network-level blocking of requests to the vulnerable endpoint using WAF or firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Contact Forms by Cimatti' version 1.9.4 or lower.Check Version:
wp plugin get contact-forms --field=versionVerify Fix Applied:
Confirm plugin version is 1.9.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP GET requests to endpoints containing 'accua_forms_download_submitted_file' from unauthenticated IPs
- Multiple failed authentication attempts followed by file download requests
Network Indicators:
- Spikes in outbound traffic from WordPress server after suspicious file download requests
- Unusual patterns of requests to /wp-content/plugins/contact-forms/
SIEM Query:
source="wordpress.log" AND (uri="*accua_forms_download_submitted_file*" AND user="-")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3231363%40contact-forms&new=3231363%40contact-forms&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3232168%40contact-forms&new=3232168%40contact-forms&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/695df547-f068-4ac1-926f-80dbf75632dd?source=cve
