Can you explain this vulnerability to me?

The Kali Forms plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to and including 2.4.8. This happens because the permission check on the REST API endpoint `/kaliforms/v1/forms/{id}` only verifies if the user has the `edit_posts` capability, but does not confirm if the user owns or is authorized to access the specific form resource.

As a result, any authenticated user with Contributor-level access or higher can enumerate form IDs and read form configuration data belonging to other users, including administrators.

The exposed data can include form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows authenticated users with Contributor-level access or higher to access sensitive form configuration data that they should not be authorized to see.

• Disclosure of form field structures could reveal the design and logic of forms.
• Exposure of Google reCAPTCHA secret keys can compromise the security of CAPTCHA protections.
• Email notification templates and server paths may be leaked, potentially aiding further attacks or information gathering.

Overall, this can lead to unauthorized information disclosure and increase the risk of further exploitation or data breaches.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the Kali Forms REST API endpoint `/kaliforms/v1/forms/{id}` with an authenticated user account having Contributor-level access or above. If the user can enumerate form IDs and retrieve form configuration data belonging to other users without proper authorization checks, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use an HTTP client (such as curl) to send GET requests to the REST API endpoint for different form IDs and observe if data from forms not owned by the authenticated user is returned.'}, {'type': 'list_item', 'content': 'Authenticate as a Contributor-level user.'}, {'type': 'list_item', 'content': 'Run a command like: curl -i -X GET -H "Authorization: Bearer <token>" https://<wordpress-site>/wp-json/kaliforms/v1/forms/1'}, {'type': 'list_item', 'content': 'Increment the form ID and check if form data from other users is accessible.'}, {'type': 'paragraph', 'content': 'If form data including sensitive information such as Google reCAPTCHA secret keys or email notification templates is accessible for forms not owned by the authenticated user, the vulnerability exists.'}] [2, 3]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should upgrade the Kali Forms plugin to a version later than 2.4.8 where the permission checks on the REST API endpoint `/kaliforms/v1/forms/{id}` have been fixed to verify ownership or proper authorization.

If an immediate upgrade is not possible, restrict access to the REST API endpoint by limiting Contributor-level users from accessing the Kali Forms REST API or disabling the plugin temporarily.

• Update Kali Forms plugin to a patched version that enforces ownership checks.
• Restrict REST API access to trusted users only.
• Temporarily disable the Kali Forms plugin if the vulnerability cannot be mitigated otherwise.

Additionally, review user roles and capabilities to ensure that only trusted users have Contributor-level or higher access.

Useful 0 Not Useful 0