CVE-2019-25734

EIP tracks 1 public exploit for CVE-2019-25734. PoCs published by Peyman Forouzan.

AI-analyzed exploit summary This exploit demonstrates a CSRF to LFI vulnerability in Contact Form by WD plugin (version 1.13.1) by leveraging unsanitized AJAX actions to perform directory traversal and include local files. The PoC includes a form that submits a crafted request to exploit the vulnerability.

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.