{"id":2867,"date":"2024-02-12T16:45:44","date_gmt":"2024-02-12T16:45:44","guid":{"rendered":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/"},"modified":"2024-02-12T16:45:44","modified_gmt":"2024-02-12T16:45:44","slug":"wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage","status":"publish","type":"post","link":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/","title":{"rendered":"WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage"},"content":{"rendered":"
En este art\u00edculo abordaremos la vulnerabilidad de Cross-Site Request Forgery (CSRF) presente en el plugin WP Contact Form para WordPress, en versiones hasta 1.6. Esta vulnerabilidad se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n ‘wpcf_adminpage’. Esto permite que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre y cuando puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n, como hacer clic en un enlace.<\/div>\n

<\/p>\n

El CSRF es un tipo de ataque en el cual un atacante puede enga\u00f1ar a un usuario autenticado para que realice una acci\u00f3n no deseada en un sitio web. En el caso del plugin WP Contact Form, esta vulnerabilidad permite que un atacante aproveche la falta de validaci\u00f3n de nonce en la funci\u00f3n ‘wpcf_adminpage’ para modificar la configuraci\u00f3n del plugin sin autorizaci\u00f3n.<\/p>\n

Una posible soluci\u00f3n para subsanar este problema es asegurarse de que el plugin WP Contact Form est\u00e9 actualizado a la \u00faltima versi\u00f3n disponible, ya que se han corregido estas vulnerabilidades en versiones posteriores a la 1.6.<\/p>\n

Adem\u00e1s, se recomienda implementar medidas de seguridad adicionales, como la utilizaci\u00f3n de plugins de seguridad que verifiquen y validen las peticiones realizadas por los usuarios, y educar a los administradores del sitio acerca de las t\u00e9cnicas de ingenier\u00eda social y c\u00f3mo identificar posibles intentos de CSRF.<\/p><\/div>\n

La vulnerabilidad de Cross-Site Request Forgery (CSRF) presente en el plugin WP Contact Form para WordPress, en versiones hasta 1.6, pone en riesgo la integridad de la configuraci\u00f3n del plugin. Es crucial asegurarse de contar con la \u00faltima versi\u00f3n del plugin instalada y tomar medidas de seguridad adicionales para prevenir posibles ataques. Mantenerse actualizado y educado acerca de las t\u00e9cnicas de seguridad es fundamental para proteger nuestro sitio web y sus usuarios.<\/div>\n","protected":false},"excerpt":{"rendered":"

En este art\u00edculo abordaremos la vulnerabilidad de Cross-Site Request Forgery (CSRF) presente en el plugin WP Contact Form para WordPress, en versiones hasta 1.6. Esta vulnerabilidad se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n ‘wpcf_adminpage’. Esto permite que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[580],"class_list":["post-2867","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cve-2024-24929"],"yoast_head":"\nWP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage - SeguridadWordPress.es<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage - SeguridadWordPress.es\" \/>\n<meta property=\"og:description\" content=\"En este art\u00edculo abordaremos la vulnerabilidad de Cross-Site Request Forgery (CSRF) presente en el plugin WP Contact Form para WordPress, en versiones hasta 1.6. Esta vulnerabilidad se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n ‘wpcf_adminpage’. Esto permite que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n […]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/\" \/>\n<meta property=\"og:site_name\" content=\"SeguridadWordPress.es\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-12T16:45:44+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/\",\"url\":\"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/\",\"name\":\"WP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage - SeguridadWordPress.es\",\"isPartOf\":{\"@id\":\"http:\/\/127.0.0.1\/#website\"},\"datePublished\":\"2024-02-12T16:45:44+00:00\",\"dateModified\":\"2024-02-12T16:45:44+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/127.0.0.1\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/127.0.0.1\/#website\",\"url\":\"http:\/\/127.0.0.1\/\",\"name\":\"SeguridadWordPress.es\",\"description\":\"Recopilaci\u00f3n de vulnerabilidades WordPress.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/127.0.0.1\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage - SeguridadWordPress.es","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/","og_locale":"en_US","og_type":"article","og_title":"WP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage - SeguridadWordPress.es","og_description":"En este art\u00edculo abordaremos la vulnerabilidad de Cross-Site Request Forgery (CSRF) presente en el plugin WP Contact Form para WordPress, en versiones hasta 1.6. Esta vulnerabilidad se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n ‘wpcf_adminpage’. Esto permite que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n […]","og_url":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/","og_site_name":"SeguridadWordPress.es","article_published_time":"2024-02-12T16:45:44+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/","url":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/","name":"WP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage - SeguridadWordPress.es","isPartOf":{"@id":"http:\/\/127.0.0.1\/#website"},"datePublished":"2024-02-12T16:45:44+00:00","dateModified":"2024-02-12T16:45:44+00:00","author":{"@id":""},"breadcrumb":{"@id":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/127.0.0.1\/wp-contact-form-1-6-cross-site-request-forgery-via-wpcf_adminpage\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/127.0.0.1\/"},{"@type":"ListItem","position":2,"name":"WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage"}]},{"@type":"WebSite","@id":"http:\/\/127.0.0.1\/#website","url":"http:\/\/127.0.0.1\/","name":"SeguridadWordPress.es","description":"Recopilaci\u00f3n de vulnerabilidades WordPress.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/127.0.0.1\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2867"}],"collection":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=2867"}],"version-history":[{"count":0,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2867\/revisions"}],"wp:attachment":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=2867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=2867"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=2867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}