# Title: Form Maker by WD [CSRF → LFI]
# Date: 2019-03-17# Exploit Author: Panagiotis Vagenas# Vendor Homepage: # Software Link: # Version: 1.13.2# Tested on: WordPress 5.1Description-----------Plugin implements the following AJAX actions:- `generete_csv`- `generete_xml`- `formmakerwdcaptcha`- `formmakerwdmathcaptcha`- `product_option`- `FormMakerEditCountryinPopup`- `FormMakerMapEditinPopup`- `FormMakerIpinfoinPopup`- `show_matrix`- `FormMakerSubmits`- `FormMakerSQLMapping`- `select_data_from_db`- `manage_fm`- `FMShortocde`All of them call the function `form_maker_ajax`. This functiondynamicaly loads a file defined in `$_GET['action']` or`$_POST['action']` if the former is not defined. Because of the wayWordPress defines the AJAX action a user could define the plugin actionin the `$_GET['action']` and AJAX action in `$_POST['action']`.Leveraging that and the fact that no sanitization is performed on the`$_GET['action']`, a malicious actor can perform a CSRF attack to load afile using directory traversal thus leading to Local File Inclusionvulnerability.Plugin also registers the following AJAX actions:- `paypal_info`- `checkpaypal`Those seems like the are only available to PRO version users, yet theyalso are vulnerable to this attack.Additionally the following AJAX actions are registered in PRO version:- `get_frontend_stats`- `frontend_show_map`- `frontend_show_matrix`- `frontend_paypal_info`- `frontend_generate_csv`- `frontend_generate_xml`Those have the function `form_maker_ajax_frontend` as a callback. All ofthem are vulnerable to the aforementioned attack. What's moreinteresting about those is the fact that are available to non-registeredusers also, making this attack directly exploitable, without using aCSRF attack. In this case the vulnerable param is `$_REQUEST['page']`.
------
PoC
### Using a CSRF attack```HTML
```
### Without leveraging the CSRF vulnerability
```shcurl 'http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php' -d 'action=get_frontend_stats&page=/../../../../../index'
```