Caldera Forms [Sensitive Data Exposure]


Plugin Caldera Forms - Drag and drop responsive form builder registers AJAX action browse_entries in order to provide a convenient way for admin to see all records from a specific form. This action calls the browse_entries() function, which lacks capabilities checks, in order to provide the information requested, thus allowing a registered user to exploit it in order to get sensitive information.

The same result can be achieved by exploiting the action get_entry with the main difference that this time the attacker must provide entry ids.

In order to exploit this an attacker will need a registered user account and the ID of the form. The later can be acquired from various elements of the form HTML mark up like the one displayed bellow:

<input name="_cf_frm_id" value="CF5719ec6205cb3" type="hidden">


First a form must be created and some entries added in it. Next the attacker can use a request like:

POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: [COOKIES]


or using the get_entry action:

POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: [COOKIES]