cbcvebase.
CVE-2022-0591
published 2022-03-21

CVE-2022-0591: The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by…

PriorityP183critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.25%
97.1th percentile
The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users

Affected

1 ranges
VendorProductVersion rangeFixed in
subtlewebincformcraft3< 3.8.283.8.28

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=formcraft3_get&URL=https://{{interactsh-url}}
path/wp-admin/admin-ajax.php
path/wp-content/plugins/formcraft3/
  • Detect exploitation attempts by monitoring GET requests to /wp-admin/admin-ajax.php with the query parameter action=formcraft3_get and a URL parameter present, especially from unauthenticated users.
  • Confirm plugin presence on target by checking HTTP response body for the string '/wp-content/plugins/formcraft3/' before probing the SSRF endpoint.
  • Out-of-band SSRF confirmation: look for an outbound HTTP callback carrying 'User-Agent: WordPress' originating from the WordPress server after the formcraft3_get action is triggered.
  • Use FOFA query 'body="formcraft3" && body="wp-"' to identify internet-exposed WordPress instances running the vulnerable FormCraft3 plugin.
  • ·The vulnerability is exploitable by unauthenticated users — no credentials or session token are required to trigger the SSRF via the formcraft3_get AJAX action.
  • ·The Nuclei template uses a two-step flow: step 1 confirms plugin presence via the body string, and step 2 fires the SSRF probe — both conditions must be met (flow: http(1) && http(2)).

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.