CVE-2015-6965 in Contact Form Generator Plugin
Summary
by MITRE
Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a field, (3) delete a field, (4) create a form, (5) update a form, (6) delete a form, (7) create a template, (8) update a template, (9) delete a template, or (10) conduct cross-site scripting (XSS) attacks via a crafted request to the cfg_forms page in wp-admin/admin.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/11/2025
The vulnerability identified as CVE-2015-6965 represents a critical cross-site request forgery weakness within the Contact Form Generator plugin for WordPress, affecting versions 2.0.1 and earlier. This flaw resides in the plugin's administrative interface where it fails to implement proper anti-CSRF protection mechanisms, creating a significant attack surface that could be exploited by remote threat actors. The vulnerability specifically targets the cfg_forms page located within the wp-admin/admin.php endpoint, making it accessible to authenticated administrators who are logged into their WordPress dashboard.
The technical implementation of this vulnerability stems from the absence of anti-CSRF tokens or similar validation mechanisms when processing administrative requests within the plugin's backend. Attackers can craft malicious requests that appear to originate from legitimate administrators, exploiting the trust relationship between the user's browser and the WordPress administration interface. The vulnerability encompasses multiple attack vectors including field creation, update, and deletion operations, as well as form and template management functions, making it particularly dangerous as it can be leveraged for comprehensive administrative control. The inclusion of XSS capabilities within the same vulnerability scope amplifies the potential impact, as attackers could combine CSRF with XSS to execute malicious scripts in the context of the victim's browser.
The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with complete administrative control over the affected WordPress site. Successful exploitation could result in unauthorized modifications to contact forms, template configurations, and field definitions, potentially leading to data exfiltration or service disruption. The ability to perform XSS attacks through this vector creates additional risk for site visitors who may encounter malicious scripts when interacting with compromised forms. This vulnerability directly maps to CWE-352, which defines Cross-Site Request Forgery, and aligns with ATT&CK technique T1078.004 for valid accounts, as it enables attackers to leverage legitimate administrator credentials. The attack surface is particularly concerning because the vulnerability affects a widely used plugin, increasing the potential for mass exploitation.
Mitigation strategies for this vulnerability must be implemented immediately through plugin version updates to the latest secure release. Administrators should ensure that all WordPress installations are running the patched version of the Contact Form Generator plugin, as the vulnerability has been addressed in subsequent releases. Security hardening measures should include implementing proper CSRF token validation mechanisms, ensuring that all administrative requests require authentication tokens that are tied to the user session. Network-level protections such as web application firewalls can provide additional layers of defense, while regular security audits of installed plugins should be conducted to identify and remediate similar vulnerabilities. The principle of least privilege should be enforced by restricting administrative access to only necessary personnel and implementing multi-factor authentication for administrative accounts. Regular monitoring of plugin updates and security advisories from WordPress.org and the plugin developer is essential for maintaining a secure WordPress environment. Organizations should also consider implementing automated patch management systems to ensure timely application of security updates.